This article first appeared in The Edge Malaysia Weekly on December 30, 2024 - January 12, 2025

In today’s digital age, cyberthreats lurk around every corner and a single click can open the floodgates to data breaches, financial loss and reputational damage. It’s no longer enough to have a top-notch cybersecurity strategy — you need a culture that prioritises security at every level. After all, as the saying goes, “culture eats strategy for breakfast”. Let’s explore how to cultivate a cybersecurity culture within your organisation that’s as robust as your firewalls.

Imagine your company as a castle. Your cybersecurity measures are the walls, moats and drawbridges protecting it from invaders. But what if the people inside the castle leave the gates open or unwittingly guide the enemy through secret passages? That’s where culture comes in. A cybersecurity culture means that every person in the castle — from the king to the kitchen staff — is vigilant and knows how to keep the fortress safe.

Leadership is like the royalty of the castle. They set the tone for how things are done. When executives demonstrate a commitment to cybersecurity, it sends a message that resonates throughout the organisation. Take the CEO of a major bank, for example, who starts every meeting with a brief on cybersecurity. This simple act ensures that security remains a top-of-mind concern for all employees.

Knowledge is power, and in our castle, it’s the sword and shield of every defender. Regular training sessions are crucial. They don’t have to be dull lectures. Think interactive workshops where employees learn to spot phishing attempts, much like a game of “spot the spy”. By making learning engaging, employees are more likely to absorb and apply the knowledge.

Clear and consistent communication is the herald’s cry that keeps everyone informed. Whether it’s a newsletter, intranet post or a simple email, sharing stories of both successful thwarting of attacks and cautionary tales of breaches can be powerful. For instance, a company might share how a vigilant employee prevented a malware attack by questioning an unusual email request.

Every person in the castle has a role to play in its defence. By empowering employees to make smart security decisions, you’re arming your citizens. This could be as simple as giving them the authority to report suspicious activity without fear of reprimand. A real-life example is a tech company that rewards employees for identifying security flaws, turning every staff member into an active guardian of the company’s digital realm.

Just as knights take an oath to protect the realm, employees should understand their responsibility in maintaining cybersecurity. This means incorporating security practices into everyday routines, like locking screens when away from desks or using complex passwords. It’s about making security second nature, just as a knight instinctively reaches for their sword when danger approaches.

In our metaphorical castle, the council of elders holds people accountable. In a company, this could be a dedicated cybersecurity team that regularly checks in with departments to ensure they’re following protocols. They’re not there to punish but to guide and help fortify the defences.

Cybersecurity isn’t just the realm of IT; it’s a company-wide concern. Think of the round table, where everyone, from knights to advisers, has a seat. Similarly, creating cross-functional teams that include members from various departments can foster a sense of shared responsibility and inclusivity.

Just as castles were updated to respond to new siege tactics, your cybersecurity culture must adapt to the changing threat landscape. This means staying abreast of the latest cyberthreats and updating policies and practices accordingly. It’s a continuous process of improvement, much like fortifying a castle’s defences after each battle.

Recognising and celebrating successes in cybersecurity can boost morale and reinforce the importance of everyone’s role. For example, a retail company might celebrate a quarter without incidents by acknowledging the collective efforts of its staff, reinforcing the value of their vigilance.

Cultivating a culture of cybersecurity is about creating a united front where everyone understands their role in protecting the company’s digital assets. It’s about moving beyond policies and protocols to instil a mindset where security is as natural as breathing. When employees at all levels take pride in being the guardians of their company’s cyber castle, the organisation becomes a much tougher nut for cybercriminals to crack.

Remember, in the realm of cybersecurity, it’s not just the strength of your walls but the vigilance of your people that keeps the kingdom safe. So, rally the troops, empower your citizens and let the banners of a strong cybersecurity culture fly high above your castle walls.

Jaco Benadie is partner at Ernst & Young Consulting Sdn Bhd

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's App Store and Android's Google Play.