Sloane Logo Inline

Improving staff security culture

In today’s world, where cyber attacks and insider risk events are becoming more prevalent, having a strong staff security culture is crucial for businesses of all sizes. However, building one can be challenging, especially when staff members lack the necessary knowledge or training to identify security threats.

In this blog, we will discuss what security culture is, and the practical steps that businesses can take to improve it.

A significant portion of our work involves Physical Penetration Testing, a real-world style of attack with the aim of covertly accessing a building with the intention of obtaining IP, data, property, or network access. We consistently find that the weak link, enabling us to gain initial access is the human element.  This is typically staff who fail to notice suspicious activity or ignore it. For example, a key method of bypassing an expensive access control system is to tailgate, people often know they have been tailgated, but if the tailgater (often a female) does not appear to be a threat, rather someone distracted and busy, staff frequently allow them to continue into the building without question. Once inside, it is easy to blend in, obtaining material, which if compromised could be devastating to the business. Most organisations will specify that allowing access via tailgating contravenes security policy and procedures. This deliberate act of ignoring the rules can be explained by poor staff training, the failure to understand security threats, again related to training or disinclination to acknowledge the activity, usually because confrontation makes people uncomfortable.

What is Security Culture?

A good staff security culture is demonstrated by a strong, consistent mindset throughout the organisation, with buy-in at executive level. Staff know the rules and stick to them because they understand them and value them.

There are two approaches to creating a strong security culture, carrot and stick. Sometimes referred to as concordance and compliance cultures. A concordance culture relies on people

understanding the risks and being rewarded for positive action. A compliance culture is demonstrated within many government departments, with disciplinary action being taken for poor security behaviour such as loss of sensitive items and failure to lock workstations. In many compliance driven organisations, staff are well trained, they will question other staff members who do not display ID or appear suspicious. They are not uncomfortable doing this because it is expected behaviour, not something odd, additionally, they may face disciplinary action if they are noted as not questioning something they have observed. A truly great security culture can be created with a combination of both approaches, staff should know and understand the rules, and follow them because they want to for the good of the organisation as much as fear of sanctions.

How can a strong security culture be achieved?

The top five steps to creating a strong security culture are:

  1. Training

The key to creating and maintaining a strong security culture is ongoing business-specific security awareness training, mandatory for all employees, regardless of their role, it should be conducted upon initial induction and on a regular basis to ensure that staff members are aware of the latest security threats and mitigation strategies.

This should be via a thorough training package, not just policy provision. Training should be comprehensive and should cover everything from how to identify and mitigate potential threats to best practices for securing data and devices. It should educate staff on the various business assets, and what the reputational or financial impact would be if they were lost or compromised. It should be tailored to provide knowledge based on the threat profile of the organisation, and both current and emerging threats. Training should be provided in a range of formats to suit all learning styles and hybrid working variations and should be constantly reassessed and improved.

  1. Create a Security-Conscious Environment

Creating a security-conscious environment means ensuring that all staff members understand the importance of security and are encouraged to report any potential security incidents. This can be achieved by promoting a culture of openness and transparency, where employees feel comfortable reporting any suspicious activity, they must also know who and how to report it to, with clear procedures in place.

    3. Ongoing Testing

Internal security testing should be comprehensive, frequent and be backed up by policy and procedures, for instance, if all meeting room doors should be locked when not in use, this should be tested and someone should be accountable, whether that be the last person to book the meeting room, or someone with overall meeting room responsibility. Consistent failure to comply can be related to performance and review, or a softer approach would be to reward strong security behaviour.

  1. Conduct Regular Security Audits and Penetration Testing

There are both pros and cons to audits and physical penetration tests, an audit will often be more comprehensive, measured against policy and procedures, standards, regulations, accreditations, and staff interviews, but it might not show the practical realities. whereas a PPT is more likely to identify the staff hacks, the procedures which in reality are not being complied with and missed vulnerabilities but is likely to be conducted over a shorter time frame, with not enough time provided for the deeper analysis. In reality, both be used to gain an accurate representation of the security culture. This level of auditing and testing should be conducted by third-party providers, the results should be used to implement changes and improve the overall security culture.

    5. Buy in

The successful development of a strong security culture relies on investment at C-suite level. Executives must lead by example, measure performance and invest the time, resources and finances to create suitable ongoing training and testing programs.

In conclusion, it is not impossible to turn a security culture around, but it needs to be carefully managed to gain maximum return.

Building a strong staff security culture requires a combination of management buy-in, regular training, testing, policies and procedures, and a commitment to creating a security-conscious environment. By implementing these strategies, businesses can significantly reduce their risk of cyber-attacks and physical breaches and ensure that staff members are equipped with the knowledge and skills they need to identify and respond to potential security threats.

Hayley Elvins

Chartered Security Professional

Sloane Risk Group

For information regarding physical penetration testing, security culture development, staff security awareness training or insider risk projects contact:

This website uses cookies. This data helps us provide the best experience for you, keeps your account secure, helps us provide social media features and allows us to personalise advert and service message content. Please select 'Accept all' to consent to us collecting your data in this way.