Here’s how you can lower risk by changing attitudes from top to bottom.


When it comes to defining an organization’s mission and vision, a lot of time is spent refining and getting it right. However, when it comes to making security awareness part of that overall approach, this isn’t the case.

With security awareness, creating a mission typically equals checking a box when really, it should be about commitment and underscoring the importance of security. A commitment to security from every employee and an understanding of how important it is to be secure should be part of an organization’s guts and what makes it successful. 

But to facilitate this, your awareness training must first engage your employees and engagement is definitely not just checking a box. It’s about going from compliance (“I took the training”) to commitment (“I learned from the training and modified my behavior because of my newfound awareness”).  

Getting everyone committed is a key element for making any cybersecurity program work, but it is exceptionally difficult to create what is essentially a dramatic shift in corporate culture.

Four C’s of a Cybersecurity Awareness Program

In a recent Cyber Resilience Insights post, Josh Douglas wrote about the four key “Cs” on which cybersecurity awareness programs will either succeed or fail: compliance, commitment, complexity and culture. He argued culture is the hardest to change and move the needle on, but at the same time, it’s the one with the most impact. 

My takeaway: with the right approach, you can not only build a program around cybersecurity awareness but have that program foster behaviors that are ingrained directly into the day-to-day behavior of your employees, specifically the instinct to “stop, think and verify.” 

Want posts like this delivered to your inbox every week? Subscribe to Cyber Resilience Insights today.

When this has become part of your culture, you will have moved the needle on behavior, lowered your risk and truly made your employees part of the solution instead of the problem.

5 Steps to Changing Corporate Behavior Around Cybersecurity

Cyber awareness training is paramount when it comes to shifting behavior for your employees and lowering risk. The key is to make sure senior leadership rallies behind it to create commitment for a strong and lasting cybersecurity program.  Here’s how to get started, in five steps:

  1. Get buy-in and commitment from senior leadership.

Behavior in a company always starts at the top. To get your whole organization on board with cybersecurity awareness, those key stakeholders that set the tone for everything you do must be your biggest champions. If they aren’t, it’s going to be very difficult for your efforts to success.

  1. Be persistent.

Annual or quarterly training—which we found is what 52% of organizations do according to the 2018 State of Email Security Report—isn’t effective. Your employees will take the training and likely forget about it until they do it again next year. Conducting the training in short bursts monthly will work much better.

  1. Make sure training is engaging and fun.

Nobody likes training that’s boring, dull or makes you feel like you’re being preached at or talked down to. Injecting humor into what you’re trying to provide can be a great start to an engaging and effective cybersecurity awareness training program. And keep it short. EVERYONE is busy. If you can’t get your point across in three-to-five minutes per training session, you are doing something wrong.

  1. Underscore the importance of basic security hygiene.

Context is critical for your program to work. Provide real-life examples of how your organization may have failed and consequently suffered a cybersecurity breach. This will provide added weight to what you’re trying to accomplish. And while phishing is the number one attack vector companies face, it’s not everything. 

Basic security hygiene means not plugging in unknown USBs, not talking about proprietary information in public places, not leaving your screen unlocked when you step away to grab a coffee. A little bit of heightened situational awareness goes a very long way to keeping the entire organization safe.

  1. Keep track of performance and effectiveness.

You’ll need to find the correct metrics to show how your program is working. Otherwise, you won’t get the support you need to continue doing this important work. Click-through rates of your program elements are a good place to start.

Learn more about how Mimecast can help your organization with cybersecurity awareness, training and education here.

Mimecast AT E-book Banner.png

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

Why Employees Habits are Cyber Risks

Why awareness training should be part of…

Why awareness training should be part of every cyber resilie… Read More >

Joshua Douglas

by Joshua Douglas

VP, Threat Intelligence

Posted Jan 01, 2019

Survey: Cybersecurity at Work, By the Numbers

Findings of our survey show that cyber a…

Findings of our survey show that cyber awareness training is… Read More >

Michael Madon

by Michael Madon

SVP & GM for Security Awareness and Threat Intelligence Products

Posted Jan 11, 2019