It is your employees' knowledge, awareness, attitudes, and actions regarding the threat landscape, cybersecurity, and information technologies that shape an organization's cybersecurity culture. To build a positive culture, it is key that you focus on people and not just processes or policies. It is your employees’ day-to-day work and conscious investment that drives a positive cybersecurity culture and, ultimately, make your organization secure.
Implementing a strong security culture can increase an organization’s resilience by as much as 46%, as noted in Cisco’s Security Outcomes Report. Security resilience is the ability to protect the integrity of every facet of your business so it can withstand unpredictable threats and emerge stronger. A positive cybersecurity culture can foster constructive habits, such as:
- Employees are likely to recognize gaps and aid in resolving them, helping organizations to minimize risks.
- Employee happiness and retention can also increase through building an inclusive and educational space in which security rules exist and are openly discussed.
- Teams can openly share problems without fear of retaliation, and remain equipped with knowledge that deters them from using shadow IT services.
Handshakes is an award-winning DataTech company founded in 2011 that enables businesses to make informed decisions through delivering meaningful insights from reliable data. They are located in six cities in Singapore, Australia, and Taiwan. As a tech-based company, developing a cybersecurity culture is vital to their success. Kenneth Ham, Chief Information and Security Officer at Handshakes, was collaborating with a client when he discovered the benefits of LastPass. He recognized the role of a dynamic password manager in building a robust cybersecure culture and promptly invested in the password management solution.
Let’s look at three ways Ham built a strong cybersecurity culture at Handshakes, and how LastPass helped along the way.
Establish a zero-trust environment
Multi-factor authentication (MFA) and zero-trust are two security strategies to increase access controls, and many businesses are now looking to adopt a zero-trust mindset. A framework for corporate cybersecurity known as a zero-trust strategy requires all users to be continuously validated, authorized, and authenticated before they can access systems or company data. As we enter a permanent phase of hybrid working, this encompasses users both inside and outside the company's network. With LastPass, implementing and onboarding your password management tool is an easy and simple process with a user directory. It helps to automate oversight of business password management by automatically testing and recognizing a user's identity.
Ham comments: “As soon as we recognized the risks that poor password hygiene presented to our business, I knew immediately that a password manager with a zero-trust environment was the solution to our problems.”
Establish a top-down approach
To really enable buy-in from your team, good cybersecurity practice and password hygiene should be executed by the C-suite and cascaded down through the organization. If the CEO, CFO, and CISO are adhering to cybersecurity practices, they can lead by example and set the standard for the rest of the team. Be sure to engage your C-level executives with the mandatory security training and make it known that security policies and processes will be enforced across the board, irrespective of seniority.
Operate on the assumption that practices take time to spread throughout the company and that culture evolves with that same time and effort. While building a zero-trust environment with LastPass, Ham assured employees that access to their vaults remained solely with them. This empowered his staff to maximize their usage knowing that they all had the same responsibilities and tools, irrespective of job title or administrator access. “Neither LastPass nor any internal admins can access an individual’s vault and I think that’s really important, a zero-trust environment is crucial and allows our team to confidently adopt the product,” says Ham.
Make cybersecurity easy and engaging
Being transparent, clear, and consistent in messaging is essential for the development of a positive cybersecurity culture. People learn differently, so don’t be afraid to get creative when delivering your cyber security training. For some, simulating social engineering attacks that mimic real-life phishing attempts can help employees realize risks. Also, be sure to approach training in a constructive manner. Employees who make mistakes should not be reprimanded or shamed; instead, their mistakes should be seen as a learning opportunity to create a culture in which no question is too basic or simple. A tool like LastPass makes it easy for employees to adopt security hygiene. With a built-in password generator, they can create strong, unique passwords, plus manage and access their passwords across all their devices and browsers.
Swiftly after investing in LastPass, Handshakes were able embed policies within their admin console such as a password generator, password sharing with restricted external access, and Dark Web Monitoring alerts to make LastPass the sole hub for key credentials. The team are able to comfortably manage password hygiene in a simple and easy format. “With LastPass, password hygiene has become second nature to our team,” Ham adds.
For Handshakes, their investment in LastPass not only forged the foundation for their cybersecurity strategy but became an integral element of their workplace culture. Ham recognizes how it has become embedded within their dialogue and can now often be heard echoed within offices as they safely collaborate. “LastPass has become an integral part of our company’s culture and even our language. We hear it often in our office being used as a verb, as it helps us to safely complete tasks.”
To find out more about how LastPass helped Handshakes to develop their cybersecurity culture, read the full case study here. 
