How To Build a Cyber Culture in Your Workforce

With exponentially expensive cyber attacks threatening businesses, companies need to educate their most significant cyber vulnerability - the workforce. Here's how to start building a cyber culture in your team.

How To Build a Cyber Culture in Your Workforce

With cyber attacks such as phishing scams set to target any stakeholder in the company, the entire workforce needs to be aware of - and follow - a security policy. Building a cyber culture is vital for businesses, as the repercussions of cyber attacks can be exponentially expensive to rectify. Business leaders are becoming aware of how crucial cyber culture is, considering human error contributes to 95% of successful security breaches. The cost of cyber attacks has amounted to financial losses of over 750 billion GBP globally (1 trillion USD.) We know something in the way we face cyber security needs to change. We need to educate our most significant cyber vulnerability - the workforce.

There is approximately one cyber attack every 39 seconds, yet under three in ten businesses have a formal cyber security policy. Building a cyber culture can be easier said than done, as most employees believe the responsibility of cyber security does not fall on everyone, but instead a specific team. With this mindset contrasting the root of many cyber attack causes, something needs to change.

Most companies do not focus on cyber culture

CEO World reported that half of companies haven’t provided remote workers with any cyber security training - a group commonly and increasingly targeted by cyber criminals. 53% of companies reported they don’t have any remote working security policies at all. With these figures, it’s no surprise that human error is rife.

It can be challenging to know where to start when building cyber culture. There is a plethora of outdated cyber awareness training available on the internet; powerpoints warning the signs of suspicious emails, the need for complex passwords and the use of secure networks. Whilst relevant aspects, these training modules often omit the evolving tactics of cyber criminals, and the new tools and attacks to be aware of.

The challenges of building a cyber culture

The move to remote and hybrid working poses a challenge. Remote employees are regularly targeted by cyber criminals, presenting cyber threats across physical security concerns through to insecure WiFi networks and software. It can be difficult to build a culture with employees based in different locations, regarding training, engagement and momentum.

A Verizon report suggested many employees believe implementing cyber security policies and avoiding security threats is entirely the responsibility of IT and cyber teams. Furthermore, 41% of IT professionals believe employees are willing to engage in risky behaviours with the mindset that problems will be solved elsewhere, or that no one would find out. Employees also stated that security policies can inhibit their jobs - waiting for software or access approvals and so constricting productivity; some avoid this process where possible.

Why you need a cyber culture

Cyber attacks can damage a business in many more ways than financially - such as losing the trust of stakeholders, legal battles, and decreased customer retention. Legal frameworks such as EU-GDPR can lead breached businesses to face costly, brand-damaging legal issues, with maximum fines reaching 17.5 million GBP in the UK, or 4% of annual turnover. Similar frameworks internationally can lead to uncapped fines; Amazon was fined over 600 million GBP (over 800 million USD) for GDPR breaches.

Businesswire research states that customers worldwide would largely stop shopping with a business after a security breach - with 88% of US respondents saying they would stop using the company for several months after a breach, and 44% in the UK. Interestingly, more UK respondents would lose complete trust in the business, with 41% of UK respondents stating they would never return to the company, opposing 21% of US respondents. Wherever your market lies, losing a significant portion of your customers presents a need for cyber culture; to avoid this outcome.

Cyber culture can also benefit the workforce itself. Engaging, relevant training that arms employees to do their job better helps to increase job satisfaction. Satisfaction correlates to employee retention rates and a more productive, efficient workforce.

Building a cyber culture

Employees must understand and agree to form a cyber culture - all parties need to be on board for it to work. Acting as a barrier to building a cyber-aware workforce, employees often believe cyber security is another teams’ responsibility. As an initial step, businesses should address the concerns of the workforce to help navigate changing mindsets. For example, if the consensus believes too many security barriers will hinder their daily job performance, consider ways to decrease the steps, and teach employees the ramifications of not doing so.

Internal communications framework

An internal communications system should allow employees to report suspicious activity with ease, therefore increasing engagement from the team. It is crucial to create a culture of openness that empowers employees to speak up about concerns - as often scams and attacks can show a red flag but not appear as an obvious threat. No question should be deemed wrong, as cyber security relies on individuals spotting suspicious actions and vulnerabilities to rectify them. Employees who contribute should be rewarded and recognised, to incentivise this behaviour and entice other employees to do the same.


Training is a vital step in educating teams about cyber attacks and how to avoid them. This process should be fun and rewarding to keep enthusiasm and participation - not a simple presentation-and-preach. Interactive, hands-on training usually proves the best results. That’s where we come in. TryHackMe helps businesses train teams in cyber security, from the complete beginner through to the seasoned hacker. Our hands-on pathways incorporate fun, competitive gamified learning. They can be the bridge between learning cyber security by the book and learning in a real-world environment, gaining transferrable skills to form cyber culture.

Cyber security professionals also benefit from regular training, to upskill and keep ahead of evolving cyber threats and new attack tactics. With over 400 labs for different skill levels, businesses can use our platform to create branded learning paths that align with skill requirements, giving teams relevant, engaging, personalised training. TryHackMe features a management dashboard that allows progress monitoring across employees, to understand how effectively teams are learning. We help upskill and arm teams with knowledge of tools and practices to mitigate cyber attacks, and can be a pillar to building cyber culture.

Explore TryHackMe training

Security tools

Security tools are integral to your line of cyber defense - although don’t protect against all attack possibilities. Security information and event management (SIEM) tools refer to technologies used to detect threats, compliance, and security incident management, by analysing data sources and security events. SIEM tools that incorporate machine learning have been attributed to helping elevate employee threat detection and response capabilities, increasing the likelihood of early detection and mitigating damage. Using a set of understandable tools employees enjoy utilising helps to arm teams for attacks. It is also essential to generate a shared understanding of updating software and installing patches immediately, to constrain the avenues cyber criminals can exploit for access.

Remote adaptations

Working remotely poses numerous breach possibilities, including the use of personal devices, insecure WiFi networks, and a lack of employee monitoring by security teams. Paired with lessened security protocols across businesses, cyber criminals have more weaknesses to leverage for access. Remote adaptations are necessary to cyber strategy and building a culture, such as software to fill the void of in-house security, remote security practitioners available, and remote-risk-specific training. Employees need to be armed with cyber awareness knowledge, and should feel comfortable reporting activity or mistakes they may have made. Additionally, employees should only have access to the files and resources needed to do their job. Remote training booster sessions are good practice for teams to discuss questions and worries, and keep on top of changes in the industry.

TryHackMe are launching cyber awareness training in December 2021 - a perfect addition to forming cyber culture with engaging, interactive training helping users to stay safe online. We go through common attacks, detection, and how to mitigate them; covering phishing, browsing safely, passwords and 2FA, a dive into malware/ransomware, firewalls, VPNs, and the importance of backups and updates. This training is perfect for the entirety of your team to build foundations for a cyber culture.

Explore how TryHackMe can form a pillar of your cyber security strategy