Building a Cybersecurity Culture in the Workplace

According to the 2023 Bitwarden Password Decisions Survey of independent IT decision-makers across a range of industries, 60% of respondents reported their organization experienced a cyberattack within the past year. Almost half (49%) report struggling with employees who use unauthorized devices or software without IT’s approval, most (80%) report having a ransomware mitigation strategy, and 75% report their organization has cyber insurance. 

These statistics reflect a corporate landscape that is saturated with data security risks. Another recent industry study found that 66% of respondents reported their organization was affected by ransomware, with the average (mean) ransom payment almost doubling from $812,380 in 2022 to $1,542,333 in 2023. 

Organizations are regularly targeted by cyber criminals aiming to exploit risky internal behavior and an inadequate cybersecurity culture. This blog explores common habits that create data security vulnerabilities and discusses strategies for developing a culture of security, such as ensuring credential security best practices and regular cyber awareness training. 

Earlier in this blog, we referenced a statistic about employees who use unauthorized devices or software without the IT team’s approval. This can create risks for organizations by introducing new attack vectors that  IT teams or a security operations center (SOC) isn’t aware of and able to control. The same report found that:

Almost all respondents (90%) reuse passwords

• Over half (54%) keep track of passwords on computer documents, while 29% simply write them down on paper

IT decision makers may generally be perceived as being more security conscious than the average employee. The 2023 Bitwarden World Password Day Survey also polled 2,000 Internet users around the globe. Although risky behavior may not always permeate into the workplace, it’s reasonable to assume there may be some overlap. The survey found:

• 19% have used “password” as their password

• A majority (68%) of respondents manage passwords for 10+ sites or apps and yet 84% of respondents reuse passwords

• Although 30% use a password manager, nearly double (58%) rely on their memory for their passwords, and 34% still write their passwords down on paper like Post-it notes or a notepad

Using weak passwords, such as “password,” makes it easier for cyber criminals to guess or brute force credentials, potentially compromising multiple accounts. Writing down passwords on paper opens the door to external and internal threats. Risky practices beyond password security include using public WiFi for workplace access, interacting with suspicious links, and opening attachments from unknown senders. These behaviors can result in compromised credentials, malware, and other threats that can impact a company financially and reputationally.

Building a cybersecurity culture takes time. The value that it brings to an organization’s value was discussed during the 2023 Bitwarden Open Source Security Summit. Experts from AccuRanker, Tall Poppy, and Techlore joined each other on a panel to discuss strategies for fostering a culture of security. Some the takeaways included:

• Encouraging people to lean into personal cybersecurity best practices has a great knock-on effect on the enterprise security posture

• Organizations should promote a culture that encourages employees to notify the IT team when something goes awry and prioritize real-life, ongoing training exercises that occur throughout an employee’s tenure

Organizations that want to promote a robust, top-down cybersecurity culture should encourage C-level executives and empower team leaders to oversee third-party risks, develop and enforce robust security policies, and lead cybersecurity education and awareness initiatives. 

Organizations should also implement interactive and memorable elements such as music, quizzes, or short videos. Set the expectation for recurring, quick lessons throughout the year that keep security top of mind and empower team members to report suspicious activity creating a system for sharing malicious messages and unusual website or login activity. Over time, this leads to a more collaborative approach with heightened awareness at every level of the company, enabling IT to react promptly, if not preemptively. 

Developing a fully secure remote culture means providing the tools people need to be successful. Organizations typically need both SSO-compliant and password-based solutions to ensure optimal security and user experience. Shared accounts that require granular levels of control present another set of challenges for sharing credentials. Password managers play a critical role in securing, creating, and storing organization credentials in collections admins can manage. 

A recent survey revealed that 79% of employees want their company to require the use of the same password manager throughout the business. Password managers are a critical component of securing shared secrets within an organization and ensuring compliance with credential strength and best practices. As employees continue to work from home, it is a business-critical objective to have a solid remote access management strategy in place with a password manager.

With a password manager like Bitwarden, employees can create, manage, and store credentials in an end-to-end encrypted vault. Password managers take the hard work out of creating credentials in that users only need to remember one password: the password to the vault that stores and encrypts credentials. Enabling employees to easily create strong and unique passwords reduces the prevalence of weak or reused passwords. 

Similar to other reputable password managers, Bitwarden supports MFA, a technology that historically required authentication from a second device before the user could log in. In recent years, multi-factor authentication methods have broadened from something you have (text message, security key) and something you know (a pin, a word) to encompass something you are (facial and voice recognition). MFA is worth deploying because it creates a second line of defense in the event initial login credentials are compromised. 

In speaking as part of the 2023 Bitwarden Open Source Security panel on cybersecurity culture, Techlore founder, Henry Fisher said the following: 

“Data breaches can impact companies, customers, or even society, depending on how important services are to a community.”

While it isn’t possible to guarantee 100% security, it is very possible to limit the impact of a data breach by building an enterprise-wide cybersecurity culture that recognizes the importance of protecting credentials. 

Ready to try out password sharing with Bitwarden? Quickly get started with a free Bitwarden account, or start a 7-day free trial of our business plans to keep your team safe online.