When it comes to cybersecurity, humans are the weakest link. We make illogical decisions, often influenced by social engineering tactics. We rush and make mistakes. And when we’re overwhelmed, we’ll ignore security measures altogether just to get the job done, which increases our vulnerability.
Despite this, few organizations invest significant effort in building a security culture. Instead, most rely on solutions that have proven ineffective, like cartoon explainer videos, simulated phishing tools, or the endlessly re-iterated exhortations to ‘be more careful’.
So, human imperfection is exploited again and again, while companies search for ever more powerful tech to somehow remove the human aspect entirely.
In this article, I’ll talk about why traditional awareness programs fail to produce buy-in and share how you can build a cyber-aware culture that will protect your data by including your people in risk management
Real-world risks tied to human error 
According to IBM’s 2024 ‘Cost of a Data Breach Report,’ “Canadian organizations pay an average of CA$6.32 million per data breach.”
These costs can include:
- Paying fake invoices
- Fines
- lawsuits stemming from loss of customer data
- Theft
- Ransomware
- Losing contracts
- Downtime
If a business is not sufficiently protected, those costs can be catastrophic and may even lead to the end of the organization.
Even if you can weather the financial storm, a major breach has knock-on effects that go beyond financial losses.
- Loss of data that gives you a competitive advantage
- Regulatory risks due to the compromise of personal information
- Reputational impact, which could lead to a loss of customers
- Unrecoverable loss of data the business can’t run without
- Legal issues due to non-compliance
This two-pronged impact compounds consequences, making recovery even more difficult.
Addressing the elephant in the room: Why most companies would rather spend on tech than training
From my perspective as the VP of Service Delivery & Innovation, one of the biggest reasons organizations don’t build cyber-aware cultures is fatalism. Again and again, I hear, ‘We’re not going to get full buy-in from our teams. We’re not going to be able to train every employee. So, why bother?’
There is some truth behind this, which is why it’s so prevalent. You’ll never get perfect compliance from your team, and protecting the business from cyber security attacks isn’t your employees’ job. So, leaders reason, it’s better to invest in secure software than train imperfect humans to mitigate cyber threats.
But this misses the point. You don’t need to be technologically comprehensive or perfect to better protect your company from threats to information security.
Why traditional awareness programs fail
Free time is at a premium these days. Employees are staying late, arriving early and working through lunch to keep up. Then, when they get home, there are pets, kids’ extracurriculars and supper to think about.
With all those responsibilities, most people don’t have a lot of room in their heads for anything that’s not staring them in the face. So any additional training outside of their job focus faces significant headwinds.
Complicated requests
Especially with something as intricate as cybersecurity, people tune out fast. The companies that build strong cyber-aware cultures know that, and work to simplify requests before employees ever see them.
For example, I was working with the president of a bank who got his first iPad in his 90s. Naturally, he wasn’t very tech-savvy, and a lecture from me wasn’t going to change that. So, I decided that I was going to only try to educate him on one simple concept. I put a lot of time into thinking about what I should teach him, and ended up walking him through multi-factor authentication.
Of course, that doesn’t solve all his security issues, but since his iPad was his primary computing device, it did make him materially more secure than if I had either a) given it up as useless or b) tried to give him a university-level course that he would end up ignoring.
Relying on authority
Simplifying tasks goes a long way to making a security culture possible. But no matter how simple your solutions are, it’s hard to get buy-in with commands.
For example, a major company had a problem with thieves coming into the office and stealing computers. They told employees again and again that they had to stop holding the door open for people they didn’t know.
Even with a problem as concrete as thievery and a solution as simple as not holding a door open, no one was willing to take on the mental load to change their habits.
So computers kept getting stolen.
Instead of giving up or just adopting more technology to fight the thefts, the company changed their narrative to make it more personal, concrete and relevant. They showed their employees videos of thieves coming into their office and stealing their computers.
After that, everything changed. Seeing it made it personal, so employees made the requested changes, helping the company stop the thefts.
How leadership, culture, and consistent reinforcement shape behaviours
From that example, we can see that most people are unwilling to make even small changes just because they’re told to.
But when the narrative changes, the action changes.
This is most evident in the trades. Steel-toed boots, hi-viz vests, hard hats, and properly tying off when working at heights add significant friction to the average worker’s day. Certainly a lot more than not holding doors for people. But today, the average worker is willing to jump through the hoops.
Part of that is reinforcing the safety narrative, but it’s also due, at least in part, to the managers and above embracing a safety culture, giving the narrative scaffolding to hold it up. If a worker comes in without personal protective equipment, it’s more than a slap on the wrist. Even if they’re needed, they’re simply not allowed to work. Consequences, like these, reinforce the serious nature of the rules, encouraging workers to fully buy into a safety (or security) culture.
Build buy-in by actively supporting cybersecurity
Likewise, if your C-suite doesn’t believe in and actively support cyber security measures through real-world actions, the rules and cartoon explainer videos will never be taken seriously.
The executives have to walk the walk and do so publicly. They need to fund efforts. They need to talk about and emphasize them. And, they need to start their meetings with a safety or security moment if they expect anyone else in the organization to do so.
Three building blocks for a more resilient cybersecurity culture
All of the above can be summed up in three simple steps.
- Simplify your ask
- Build a compelling narrative
- Lead by example
iON’s role in helping you create a robust cybersecurity culture
Though we’re a technology company, at our heart, we’re built by and designed for people. It’s in our DNA and written all over our values. We’re driven to serve, founded on collective genius, tied together through laughter and committed to having your back because technology is nothing without the human behind it.
That’s why our focus expands beyond tech solutions to include the methods and habits that will empower people to increase security.
With that broadened scope, we help organizations align policies, processes, and technologies to support people, not just enforce rules.
Results that echo, company-wide
When you ignore the humans on your team to focus only on technology, you are signalling distrust, which can disempower your team. Whether the technology works or not, this lack of trust isn’t healthy in any organization. And the truth is, without proper buy-in, the technology will never work as well as it could.
But when you approach security as a fundamentally human endeavour, embracing your people and the role they have in keeping all of you safe, you build empowered teams who see themselves as part of the defence strategy.
And that makes every piece of technology you have more powerful.
Get Started with iON
Compliance can be complicated, time-consuming, and confusing. At iON, we help you understand, navigate, and ultimately achieve compliance, whether you’re pursuing ISO 27001, SOC 2, or any other frameworks that may be relevant to your industry.
If you need to demonstrate a minimum level of security to customers, partners, or regulators, compliance provides that external proof. And when compliance is a requirement, it’s essential to get it right.
iON offers a range of services that directly support compliance processes, including vulnerability management and penetration testing, which are both required in frameworks like PCI and SOC 2. We can help you check the right boxes while building a stronger security posture for your organization.
Contact us today to start simplifying your compliance journey.