Improving security culture within an organisation is necessary to secure the human and to promote both personal and collective responsibility for security. These are the three most important areas where security culture can be improved from.
1. Employee Education and Awareness, using a combination of creating comprehensive security training for all employees, conduct targeted phishing exercises to test employee skills in detecting and reporting phishing emails. Finally use all available communication channels in the organisation to inform employees about security, their responsibilities as well as any relevant news about security in the business.
2. Strong Policies, Standards and guidelines, develop clear, easy to understand and apply, security documents that are easily accessible and clearly communicated to all employees on a regular basis. Keeping documentation up to date is important. Helping employees understand content using training and education sessions to reinforce the importance within the business.
3. Promote a security culture, the management should be promoting security in a positive business enabling manner. Doing the right thing and leading by example, where security colleagues implement and follow the rules they impose on the rest of the business. Include additional incentives through recognising colleagues who have been proactive and supportive of security. Provide different platforms where employees can raise questions and ask for help in ways that are easy to perform without repercussion.