Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
22 November 2023

Creating a secure culture: A practical guide

In the previous blog in this series, we explored the commonly overlooked areas within human risk management, and why they’re so important to cover at a time when humans are responsible for the majority of cyber breaches. To complete the series, we’ll look at how to address human risk in practice, by developing a positive, engaging, and proactive secure culture throughout your organisation.

A key point to emphasise is that merely ramping up current security awareness training programmes is nowhere near enough these days. Neither is simply ‘giving up’ on human security best practice because the training isn’t getting through, and instead putting all your security eggs in the solutions and technology basket. 

A secure culture is vitally important because so many cybercriminals are now successfully exploiting human psychology and emotions. They’re attracting the attention of people who feel curious, angry, scared or any other type of emotion, who are then driven to open malicious attachments or click on dodgy links by their heart rather than their head. Developing a secure culture maximises the chances of employees making decisions with their heads instead.

What is a secure culture?

Before we go into the practicalities of a secure culture, it’s important to differentiate it from traditional security awareness training.

The main difference can be found in who is making the effort to apply security best practice. With security awareness training, that resides with the CISO, the security team, or (if applicable) the IT team in general. They’re responsible for drilling vital information into the minds of the workforce, but the success of this training is entirely dependent on the willingness of each individual employee to engage with the subject matter and take it seriously.

On the other hand, with a secure culture, that effort is made by absolutely everyone across an organisation, whether they work in IT and cybersecurity or not. This is where everyone is empowered to understand why security best practice is important, what the consequences are if a breach occurs, and are proactive in upholding those standards.

Turnkey Mitigating Human Risk- How to build a secure culture 1200x200

How you can create a secure culture

So how can you develop that secure culture and reach that state of constant awareness and proactivity? Well, firstly, it’s not something that’s going to happen overnight: it will take gradual change and adjustment to security processes and frameworks, many of which will have been ingrained within organisations for years or even decades. We recommend these six vital steps as the best starting point:

  • Assess security posture and awareness: look at your current security situation and how data is handled. See if there are patterns in good or bad practice across employees, vendors and channel partners, and whether there are any teams or processes that are especially vulnerable

  • Identify and analyse threats: prioritise any risks and threats that you know about, and simulate scenarios when they arise, so that you can better formulate responses to them. Partnering with an expert third party can help here, so that you can gain an objective view of where you might have weaknesses in your response strategies

  • Investigate employee behaviours: look for any pain points in day-to-day employee activities where they may be especially vulnerable to poor practice or simply dropping their guard. Start to bring in regular, gentle reminders that can gradually encourage employees towards better user behaviour and security practice

  • Gain insights from past incidents: any breaches or incidents that you have previously suffered are full of information and learnings that you can take forward. Explore what went wrong and why, and ensure the right measures are in place to prevent those issues from reoccurring

  • Change processes and training: with all of the above complete, you can then set about remodelling your processes to support better behaviours. Communicating the change is vital to ensuring strong employee buy-in, and helping promote regular training and constant, proactive best practice at all levels of the workforce

  • Automate where possible: technology still has a role to play, especially in areas where it can reduce the risk of human error. Investigate solutions such as user access and authorisation, multi-factor authentication, password management, spam filters and encryption, as well as AI-supported security tools that can flag up (and sometimes automatically deal with) anomalies

In summary

Developing a secure culture is a gradual process, but one that is well worth the time and investment along the way. With a strong, sustainable secure culture in place, you’ll find it far easier to keep data, systems and applications safe, and reduce the threat of constant security events overloading your solutions and security team. And at a time when both cyber threats and penalties for security non-compliance are both increasing, a secure culture can make a real difference to the future success of your business.

Find out more on creating a secure culture in our upcoming live webinar. Sign up today and you’ll be able to discover how to identify human risks, how to mitigate those risks with tools you already have, and expert insights on the benefits of a secure culture.