From Compliance to Culture – How to Build a Long-Lasting Culture of Cyber Security Awareness
By Karina Mansfield, Managing Director, Phriendly Phishing

Karina Mansfield, Managing Director of Phriendly PhishingYou hear a lot about building or fostering a culture of cyber security awareness, but what does it really mean? At its core, an engaged and long-lasting culture of security awareness is built intentionally so that your people are integrated into every aspect of business practice.

A security awareness culture is visible in everyday behaviour and appears in the  organisation’s mission, policies, and is evident in everyday work activities.

It’s imperative to shift the perception of cyber security from something that is feared, often unspoken, elusive to a culture where employees will take responsibility for themselves and their organisation's security posture whilst providing an environment where people feel comfortable and empowered to talk about security and any issues that may arise.

Although IT security is a critical part of a robust security plan, the most vulnerable area and weakest link for any organisation is – its people, with 95 percent of cyber security breaches being caused by human error.

In 2021, Australians were scammed out of over $2 billion, and many cyber criminals focused on attacking individuals through phishing, placing people in extremely vulnerable and stressful situations as they are usually placed first in the firing line in any organisation.

Fostering a security awareness culture through education and continued open and honest conversations are key factors to empowering your people to help protect themselves and your organisation from huge potential reputational and financial loss.

Practical ways to foster long-lasting culture of cyber security awareness

Get your people involved - Two-way open and honest conversations

This seems obvious but open and honest communication is critical.  It should be delivered with the same importance, intensity and intelligence as other strategic communication efforts and the aim is to deliver clear and compelling messages to your people that explain what the program entails, how it works, what’s in it for them(not just the company), and why it’s important to get involved.

To be successful, strategic communication needs to be frequent, diverse in content, multi-channel, and relevant to the needs and interest of your people so that it doesn’t become background noise. Another approach on how to engage with employees is by asking them what they want in a security awareness program.

Gain employee support with department-level conversations about the impact of cyber threats to ensure staff see the value of security awareness training and aren’t avoiding processes.

Embedding Security Awareness Champions within various areas of your business is another proven way to get trust and traction amongst employees.

Get buy-in at executive level

A successful security awareness program starts with a commitment from organisational leaders, and their continued success depends on ongoing leadership support at all levels of the organisation.

When executives support a security awareness culture and are shown the value it brings from mitigating financial and reputational cost, they will continue to invest resources to support programs, keeping it top of mind for employees.

Invest in education and training

Training is not about “gotchas”, naming and shaming, it should be focused on educating and empowering your people.

Short-lived promotions may do more harm than good by encouraging quick fixes as opposed to long-term progress. Ensure you have a long-term strategy in place and your people are on their personalised learner journeys, meet them where they are and support them along the way.

Training content is impactful and effective when it’s short, sharp, convenient, relevant and memorable. Phishing and cyber security awareness training can be a complex topic for most employees, so make it relevant and engaging!

Celebrate and track your success

Successful programs need to be thoroughly evaluated on an ongoing basis, not just a one-time investment. It’s important to establish the metrics most important to senior management which may include: program awareness, participation rates, drop in clicked phishing simulations, increase in reporting of suspicious emails, an increased sense of accountability around Security within your employee base (don’t see it as just an IT Security problem....), behaviour change, risk mitigation from a financial and reputational perspective.

 Get in touch today to ensure you and your people are empowered to protect themselves and your organisation. Find out more at