5 Steps to Create a Culture of Security


Every single day there are stories in the news of towns getting hit with ransomware attacks costing millions of dollars. Employees are duped into providing passwords and other credentials to hackers.  Major vulnerabilities are discovered in software platforms that don’t get patched in time.  Large organizations are just as susceptible to bad cyber practices as small organizations. 

What must we do better after years of these types of stories to better protect ourselves and our data?

We must create a culture of security that makes things a proactive, defensive stance and stop being reactionary.  These five steps will help get you on the right path.

  1. The Basics

Your organization should have the basics in play:  including firewalls, VPNs, strong password policies, multi-factor authentication, limiting data access to only those with a need to know, backup continuity plan, and patch management procedures.

  1. Executive Buy-In

Your organization must have a top-down approach when creating cyberculture.  You CANNOT have the executives at your company disregarding these policies and procedures because it annoys them.  Your employees will mimic what you hold as a priority.  It is on you to set the tone with your actions to ensure good cyberculture.

  1. Ongoing Training

The methods of cybercriminals are constantly evolving.  The most effective methods involve social engineering or psychological manipulation to trick someone into giving up confidential data.  It is imperative to maintain regular training for everyone.

A contract I managed several years ago required annual cybersecurity training as part of the contract.  We implemented this method corporate-wide.  Check out this free Department of Defense course at  https://public.cyber.mil/training/cyber-awareness-challenge/

  1. Non-punitive reporting

Even with all the preparation in the world, mistakes will happen.  A file will accidentally get sent to the wrong person.  A checkbox will give someone permission they shouldn’t have.  A software vendor will discover a vulnerability that is out of your control.  You need a reporting and communication plan when these types of mistakes occur.  Unless the problem becomes repeated or extremely egregious, reporting problems should not be met with punishment.  You need a culture of trust when problems are reported so they can be resolved and not repeated. Otherwise, employees will be reluctant to highlight problems.

  1. Outside Auditing

3rd party validation is a fantastic way to ensure that your company is maintaining a good cybersecurity culture.  An outside consultant can provide services such as penetration testing, social engineering testing, or adherence to industry protocols such as HIPPA, PCI, NIST 800-171.


Forced CyberCulture

It’s reasonable to view that list of 5 things and think everyone is already doing this.  But you’d be surprised.  Certain industries have had specific cyber regulations that have been followed for some time, medical and financial institutions. 

But if you wanted to start a digital marketing firm for instance, there are no requirements outside of self-regulation.  As a matter of fact, companies until now have been able to get cybersecurity insurance policies based on self-reported information.  I know this because I’ve help companies fill out the forms. 

That is now starting to change.

Later this year, all Department of Defense contractors will be required to go through CMMC (Cybersecurity Maturity Model Certification), via a Third-Party Assessment Organizations (3PAO).

Michael Ferritto, Business Development Director of Aquila Technology, has been working on this initiative in pursuit of becoming a CMMC Auditing Agency.

He reports that while the auditing standards have not been finalized, it will be broken down into five levels.  Level 1 is basic hygiene, and there are very few internal processes corporate-wide.  Level 5 will be for a very small subset of contractors that maintain a security operations center that is running 24/7. 

Mr. Ferritto expects that most organizations will fall between Level 1 and Level 3.  Basic guidance is for organizations to follow document NIST 800-171 and its 110 protocols, which you can easily find on the NIST website. (UPDATE 2023: The CMMC Program has been updated to only have 3 levels with most companies adhering to Level 1 or 2)

Until now, government contractors were also self-regulating.  But now this will require a third party.  Additionally, contractors will need to ensure that their vendors and subcontractors are audited as well. 

I predict that once the federal government solidifies its auditing procedures that this will expand to the general consumer marketplace by insurance companies. 

As more insurance companies have to pay out cybersecurity claims, they will want independent auditors to verify that those companies that suffered a breach have implemented best practices for the size and industry of their organization.

But what do you think?

Do you inherently trust an organization blindly with your data?  Do you assume they are taking proper steps to ensure cyber hygiene? 


You can find John Barkerlinkedin.com/in/john-n-barker or instagram.com/johnbarker78

content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

About the Newsletter

Get One Tip every Sunday morning to optimize and secure your business technology.

John Barker

John Barker

John has over 25 years of technology experience and earned a Bachelor’s in Business Management & MBA.  He also holds CISSP and PMP certifications.