Cybersecurity starts not with code but with culture

The human side of cyber-risk

In most cases, when an employee causes a breach, it is unintentional. “People often don’t join the dots and may not realize that their individual actions carry a cybersecurity risk,” says O’Neill. Increasingly sophisticated attacks, such as advanced phishing schemes, and even deepfakes of company executives, make it harder for employees to distinguish genuine communications from malicious fakes.

While uninformed employees pose a cybersecurity risk, informed and engaged employees can constitute your organization’s first – and strongest – line of defense. But for a people-centric approach to succeed, company leaders must secure buy-in from the whole workforce, embedding cybersecurity best practice into everyday work culture.

“Building a cybersecurity culture really means building behaviors around vigilance, hyper-awareness of the different techniques used by bad actors, and also the importance of raising the alarm when things go wrong or don’t feel right,” says O’Neill.

People leaders play a critical role in shaping organizational culture and must be ready to lead efforts to integrate these principles into the fabric of the business. O’Neill highlights three priorities for establishing an effective cybersecurity culture.

1. Identify cyber-risk as a clear and present danger

Most organizations have cybersecurity initiatives in place, but not all are fit-for-purpose. “Most have some form of e-learning course that employees complete on an annual basis, just to feel like they are doing something. But if that is the only tactic, you probably have more to do,” says O’Neill.

The most successful approaches emphasize the potential for real damage to the business. At Ipsos, one of the most impactful initiatives involved senior leaders participating in a simulated cyberattack. “Experiencing what an attack feels like, seeing what we would need to do and what we need to prepare for, brought the risk to life,” O’Neill says.

Grounding training in realistic scenarios is critical. For example, tailoring phishing simulations and training exercises to reflect evolving threats, such as deepfakes of senior executives requesting sensitive information, helps employees to recognize risks in practice, not just in theory.

2. Frame friction as a by-product of safety

Leaders must ensure that workers do not come to view cybersecurity measures principally as a source of irritation. Additional security steps can slow work processes down, impacting efficiency goals and creating friction with a workforce under pressure to hit productivity targets. If left unaddressed, such frustrations can undermine cybersecurity culture. Rather than allowing workers to see security measures as a drag on productivity, people leaders must reframe them as essential to safeguarding business processes and protecting the workers themselves.

“The more you can do to help people understand that this friction benefits all of us, the less likely they are to try to find workarounds that could compromise security,” says O’Neill. “It requires a huge amount of buy-in for people to play their role in managing risk.”

Another challenge is attaining engagement. When cybersecurity is explained in overly technical or compliance-driven terms, employees can see it as a box-ticking exercise. It falls to people leaders to translate the concept into language that resonates with employees.

“If your employees think cybersecurity is boring, it is probably because you have made it sound dull. Once you start talking to people about it in the right way, they see how vital and interesting it is,” says O’Neill. “Employees then want to play a community role in making sure good cybersecurity habits are in place and understand they are part of a broader ecosystem that keeps us all safe.”

3. Make it safe to speak up

One of the most commonly overlooked aspects of cybersecurity is creating an environment where no employee fears the potential repercussions of highlighting a breach or risk. “I would always prefer people to raise the alarm about something they are worried about and find out it was actually legitimate, rather than be afraid to raise it,” says O’Neill.

This is particularly important when dealing with highly convincing – and consequently difficult to detect – executive deepfakes used to solicit sensitive information from employees. But O’Neill acknowledges that, in global organizations, cultural dynamics can make this challenging. “In some countries, management hierarchies are very established and the idea of questioning someone more senior is hard to grasp,” she explains.

CHROs and CPOs should have the firmest understanding of these dynamics and should lead on communicating expectations effectively across different regions. This includes creating environments where employees feel safe to question unusual requests, even when they appear to come from senior leadership.

Measurement also plays an important role. As a research firm, this comes as second nature to Ipsos. “We regularly measure people’s sentiment about raising concerns. For example, we ask: have you made a mistake and what was the response when you reported it? That allows us to identify areas, such as countries or functions, where more targeted activity is needed,” says O’Neill.