Illustration showing how colleagues are crucial to business cybersecurity success

Human factors: How can you build a robust cyber security culture?

In this in[ctrl] article, we explore how IT professionals are in a unique position to help their teams mitigate the human factor threat. Read on to discover our handy tips to help you engage your colleagues to become the first line of defence against cyber security threats.

95% of all cyber security breaches were attributed to human error in 2022 according to the World Economic Forum Global Risks Report. 

While your colleagues are the biggest threat to your organisation, how can they be blamed for something they didn’t know or understand?

Human error is an unintentional act that often arises because of a lack of knowledge. Human factor is the way an organisation, culture, job, and individual combine to equip people with this knowledge, and improve their reliability at work. With this in mind, it’s important we focus our attention on human factor, especially in relation to cyber security.  

Cyber security risks of remote working: The human factor

Many organisations have had to adapt to hybrid and remote workingThis way of working has brought many benefits, such as increased flexibility and productivity. However, it’s also exposed our colleagues to unprecedented cyber security challenges.

Working from home can lead to:

  • a more relaxed environment making colleagues less alert
  • increased distractions impacting attention levels
  • switching between personal and work devices with one having the potential to infect the other
  • unsecured network usage

Embracing the human factor can empower IT professionals to identify opportunities to help colleagues cope with threats and foster a resilient cyber security culture.

What is cyber security culture?

A good cyber security culture develops when all employees understand how to work as securely as possible.

The human factor is the best defence against cyber-attacks and also the weakest link in cyber security. People, not technology, are what create an effective cyber security culture. The first line of defence should be provided by employees who have the knowledge, instinct, and awareness to address security issues. IT departments are the enablers of a security-savvy workforce that ensures business resilience.

6 steps to a robust cyber security culture

If a company culture isn't up to scratch, the human factor in cyber security can become a significant risk. Equip your teams with the confidence to build a resilient cyber security culture in six simple steps.

1. Avoid technical jargon

Technical language has the potential to alienate those who struggle to make sense of it. When educating colleagues on cyber security best practice, keep things simple.  Communicate with your colleagues outside of the IT department using language that’s easy to understand. Accountants, designers, and catering teams might not grasp the concept of ransomware, trojans, worms, and malware. But they’ll understand the idea that bad software is often delivered by fake emails to infect computer systems.

Don’t over-complicate your messaging. The ins and outs of block cipher algorithms or egress filtering won’t help your teams to foster a positive cyber security culture. It’ll only confuse your colleagues and lead to a lack of cyber security confidence. 

Tell your teams what they need to know to implement a more cyber-secure way of working and to take action if needed to prevent a cyber-attack.
avoid technical jargon - the first tip of Brother’s six steps to cybersecurity culture

2. Share a cyber security checklist

A checklist that everyone in your organisation has access to will create good cyber security habits.

Clarify the measures everyone should be proactive in taking, when they should take them, and how they should take them to reduce the risk of a cyber-attack into an easy-to-understand document.

Here are some examples of what you could include in a cyber security checklist:

  • Install antivirus protection and check for updates every two weeks
  • Back up files to the cloud every week
  • Lock all laptop and device screens when working in a co-working space
  • Always use a VPN
  • Use unique and strong passwords for each account and device
  • Change passwords every month
  • Apply a zero-trust approach to all emails
  • Use password protection and waiting rooms for virtual meetings
  • Disable Bluetooth and file sharing when not needed

It’s important to be aware of threats at a network, device, and output level. Using a checklist can provide this triple-layer approach to security and keep your data and assets safe.

Add screenshots, links or walk-through videos to show how to implement each measure effectively. This visual element provides a step-by-step guide and reference tool. Some colleagues may prefer this self-guided approach.

Brother's second cybersecurity tip - creating and sharing an employee checklist

3. Boost awareness of emergency procedures

A checklist is effective to ensure colleagues are following cyber security best practice. However, even the most resilient of organisations can fall victim to a cyber-attack. All team members should understand what to do if they suspect something isn’t right.

A common example that would require emergency procedures to be initiated is a suspicious email dropping into a colleague’s inbox. Teams need to be aware of what to do should this happen. If in any doubt whatsoever, colleagues should always feel confident to contact the security first response team, and know who the team consists of in the first place. You could even add an emergency procedures guide to your cyber security checklist to keep all materials in one place.

Address these points in your emergency procedures guide:

  • Who is the First Response contact?
  • How can colleagues contact them?
  • Hours of service
  • What to do out of hours

Example key emergency procedures:

  • Don’t click on suspicious links

  • Don’t open suspicious attachments

  • Don’t forward to others

  • Don’t reply to suspicious emails

  • Do get in touch with the First Response Team ASAP.

Brother’s third cybersecurity tip is to make emergency procedures clear to all

4. Conduct a simple scenario training exercise

While it may seem trivial, quick, desk training is an effective way to help colleagues reflect on the human vulnerabilities in cyber security. Conducted company-wide, this exercise will test your colleagues’ understanding of different security issues, while educating in a non-threatening way.

Well-structured ‘Do you…?’ prompts will help your teams:

  • self-assess their cyber security habits
  • stay motivated to follow cyber security policies
  • recall the cyber security checklist
  • apply what they know to potential cyber security scenarios they may encounter

You could design the exercise to test discrete aspects of cyber security such as working remotely.

Brother recommends cybersecurity desk training for all colleagues

5. Celebrate cyber security successes

Your robust cyber security culture should be an extension of the positive culture of your organisation. Celebrating cyber security successes is an effective way to build a self-assured team, inspire, and make colleagues feel valued for their cyber security efforts.

Motivate colleagues with ‘security scores’ that can be updated weekly. Relate them to training, quizzes, and the spotting of potential threats. Incentivising in this way builds a savvy workforce that views cyber security as an important part of keeping your business safe.

A simple poster on the office noticeboard, a weekly newsletter-style email, or update message will celebrate the cyber heroes within your company who have saved the business from a potential threat and costly attack. This encourages others to follow cyber security processes and spot potential security threats.
Celebrating cybersecurity culture to motivate colleagues

6. Provide regular updates

Cyber security shouldn’t be a topic that’s visited once every few months. It needs to be embedded into the business-as-usual (BAU) work of every team and department within your organisation. To make this happen, IT professionals can provide regular updates to keep teams informed about the latest phishing scams and suspicious emails.

You could create a monthly email - Security Scoop or The Phishing Report or something similar - that details all of the latest scams to look out for. These regular updates will keep cyber security on the agenda and prevent colleagues from becoming complacent.

Implementing a cyber security culture will not capture all - there will still be some threats that trick even the most prepared. Still, ransomware was the main attack type in Europe in 2021, meaning cyber-attacks continue to be unleashed.

But by implementing a human-centric approach to cyber security, and following Brother’s six steps to building a robust cyber security culture, IT professionals can empower colleagues to reduce this risk. 
Share regular updates on cybersecurity to keep teams informed and armed against scams


What is the difference between human error and human factor?

Human error is an unintentional act - often arising because of a lack of knowledge - that results in failure. Human factor is the way an organisation, culture, job, and individual combine to influence human reliability at work.

What is the importance of the human factor in cyber security?

In cyber security, the human factor comes into play when situations that cause a successful hack or data breach happen because of a human action.

Why is the human factor the weakest link in cyber security?

Humans are fallible and make mistakes. A colleague may be distracted, stressed, busy, disgruntled, or overconfident. These traits can lead to mistakes which is why the human factor will always be the weakest link in cyber security.

More from Security

You might also like

Back to top