Building a security culture in the workplace

According to the 2023 Bitwarden Password Decisions Survey of independent IT decision-makers across a range of industries, 60% of respondents reported their organization experienced a cyberattack within the past year. Almost half (49%) report struggling with employees who use unauthorized devices or software without IT’s approval, most (80%) report having a ransomware mitigation strategy, and 75% report their organization has cyber insurance.

These statistics reflect a corporate landscape that is saturated with data security risks. Another recent industry study found that 66% of respondents reported their organization was affected by ransomware, with the average (mean) ransom payment almost doubling from $812,380 in 2022 to $1,542,333 in 2023.

Organizations are regularly targeted by cyber criminals aiming to exploit risky internal behavior and an inadequate cybersecurity culture. Cultivating a strong security culture within the organization can significantly enhance resilience against cyber incidents. This blog explores common habits that create data security vulnerabilities and discusses strategies for developing a culture of security, such as ensuring identity security best practices and regular cyber awareness trainings are in place.

Security culture refers to the collective attitudes, values, and behaviors that an organization or community promotes to minimize security risks and protect its assets. It is a set of customs shared by a community to minimize risk, making safe behavior online habitual and ensuring employees can confidently identify and deter bad actors’ attempts to exploit vulnerabilities through phishing, malware, ransomware, and more. A strong security culture is essential for any organization, as it helps to reduce the risk of security breaches, data exfiltration, and other security concerns.

Evaluating your current security culture is essential for identifying areas for improvement and creating a stronger organizational security awareness and habits. To evaluate your current security culture, you should assess your organization’s security measures, best practices, and risk assessments. You should also consider conducting regular security audits and risk assessments to identify vulnerabilities and areas for improvement.

Earlier in this blog, we referenced a statistic about employees who use unauthorized devices or software without the IT team’s approval. These “shadow IT” behaviors create risks for organizations by introducing new attack vectors that IT teams or a security operations center (SOC) aren’t aware of and are unable to control. The same report found that:

• Almost all respondents (90%) reuse passwords

• Over half (54%) keep track of passwords on computer documents, while 29% simply write them down on paper

IT decision makers may generally be perceived as being more security conscious than the average employee. The 2023 Bitwarden World Password Day Survey also polled 2,000 Internet users around the globe. Although risky behavior may not always permeate into the workplace, it’s reasonable to assume there may be some overlap. The survey found:

• 19% have used “password” as their password

• A majority (68%) of respondents manage passwords for 10+ sites or apps and yet 84% of respondents reuse passwords

• Although 30% use a password manager, nearly double (58%) rely on their memory for their passwords, and 34% still write their passwords down on paper like Post-it notes or a notepad

Using weak passwords, such as “password,” makes it easier for cyber criminals to brute force account access with credential stuffing or password spraying attacks, potentially compromising multiple accounts. Writing down passwords on paper opens the door to external and internal threats. Risky practices beyond password security include using public WiFi for workplace access, interacting with suspicious links, and opening attachments from unknown senders. These behaviors can result in compromised credentials, malware, and other threats that can impact a company financially and reputationally. Understanding security issues is critical for employees to safeguard sensitive data and assets against potential threats.

Building a cybersecurity culture takes time. The value that it brings to an organization was discussed during the 2023 Bitwarden Open Source Security Summit. Experts from AccuRanker, Tall Poppy, and Techlore joined each other on a panel to discuss strategies for fostering a culture of security. Some the takeaways included:

• Encouraging people to lean into personal cybersecurity best practices has an effective compound effect on the enterprise security posture

• Organizations should promote a culture that encourages employees to notify the IT team when something goes awry and prioritize real-life, ongoing training exercises that occur throughout an employee’s tenure. Senior management's active support for security initiatives is essential for ensuring that all employees understand and adhere to cybersecurity best practices.

Organizations that want to promote a robust, top-down cybersecurity culture should encourage C-level executives and empower team leaders to oversee third-party risks, develop and enforce comprehensive security policies, and lead cybersecurity education and awareness initiatives.

Organizations should also implement interactive and memorable elements such as music, quizzes, or short videos. Set the expectation for recurring, quick lessons throughout the year that keep security top of mind and empower team members to report suspicious activity, and create a system for sharing malicious messages, as well as unusual website or login activity. Security training is a vital component of a comprehensive cybersecurity strategy. Over time, this leads to a more collaborative approach with heightened awareness at every level of the company, enabling IT to react promptly, if not preemptively.

Developing a fully secure remote culture means providing the tools people need to be successful. Organizations typically need both SSO-compliant and password-based solutions to ensure optimal security and user experiences. Shared accounts that require granular levels of control present another set of challenges for sharing credentials. Password managers play a critical role in securing, creating, and storing organizations’ credentials in collections admins can manage.

A recent survey revealed that 79% of employees want their company to require the use of the same password manager throughout the business. Password managers are a critical component of securing shared secrets within an organization and ensuring compliance with credential strength and best practices. As employees continue to work from home, it is a business-critical objective to have a solid remote access management strategy in place with a password manager.

A password manager like Bitwarden enables employees to create, manage, and store credentials in an end-to-end encrypted vault. Password managers take the hard work out of creating credentials by ensuring users only need to remember a single password, the one to the vault that stores and encrypts sensitive login credentials. Enabling employees to easily create strong and unique passwords also reduces the prevalence of weak or reused passwords.

Bitwarden also supports multifactor authentication (MFA), a technology that historically required authentication from a second device before the user could log in. In recent years, multifactor authentication methods have broadened from something you have (text message, security key) and something you know (a pin, a word) to encompass something you are (facial and voice recognition). MFA is worth deploying because it creates a second layer of defense if a user’s login credentials are compromised.

Speaking at the 2023 Bitwarden Open Source Security Summit panel on cybersecurity culture, Techlore founder Henry Fisher said the following:

“Data breaches can impact companies, customers, or even society, depending on how important services are to a community.”

While it isn’t possible to guarantee 100% security, it is very possible to limit the impact of a data breach by building an enterprise-wide cybersecurity culture that recognizes the importance of protecting credentials.

Employee training and awareness programs are a key element of any effective security culture. These programs should educate employees on security risks, security concerns, and security best practices, and provide them with the knowledge and skills they need to report security concerns and implement better security awareness habits. Security awareness training should be regular and ongoing, and should include topics such as phishing, malware, and data protection. By providing employees with regular security awareness training and promoting a culture of openness and transparency, organizations can ensure they are turning employees into their greatest asset for mitigating security risks moving forward.

Ready to try out password sharing with Bitwarden? Quickly get started with a free Bitwarden account, or start a 7-day free trial of our business plans to keep your team safe online.