Building a cybersecurity culture: The role of internal communications in fostering awareness and prevention

By Wendy Kauffman and Ozzie Fonseca

Consider the following statistics published last month by Exploding Topics, a trend-spotting algorithm used for the early identification of products, industries and categories.

●????? Someone falls victim to a cyberattack roughly once every 11 seconds.

●????? Almost 6 in 10 businesses have suffered a ransomware attack this year.

●????? North America has seen a 15% increase in ransomware attacks this year.

●????? The average cost of a successful attack on an IoT device is more than $330,000.

●????? Data breaches from phishing attacks cost companies an average of $4.88 million.

●????? The largest recorded data breach compromised more than 3 billion user accounts.

In an era where cyberattacks are escalating in frequency and sophistication, the urgency of building a strong cybersecurity culture cannot be overstated. According to IBM Security, nearly 95% of all cyber incidents are preventable mistakes—such as misconfigurations, weak passwords, and the accidental clicking of infected links.

This and other reports confirm that organizations are only as secure as their least compliant employee. With this front of mind, a war of policies has begun to counter the offensive and under which to take cover when things go wrong.

Polices, however, are not messages.

Policies define acceptable behaviour but do not build a culture of willing compliance. Building a cybersecurity culture starts with a strategic approach to internal communication. Communication tactics must cut through the noise of a fast-paced work environment, cater to decreased attention spans, and be continuous throughout an employee's tenure.

A cultural shift comes from embedding the desired behaviour into the fabric of daily operations and focusing on how cybersecurity training is delivered.

Tell, Show, Test.

Rather than overwhelming employees with dense, long sessions, organizations should use shorter, frequent lessons catering to many types of learners—auditory, visual, tactile - with built-in practice time and adopt a goal of "No employee left (educationally) behind."

A Tell, Show, Test model is an easy communications framework to build a cybersecurity culture. It starts by telling employees what cyber threats look like and what happens when a breach occurs. It then shows them real-world examples of how threats unfold and how easily mistakes can lead to breaches. The model is followed by ongoing testing and feedback on employee understanding and proficiency. Testing can range from simple five-minute quizzes to simulated phishing attempts to ensure employees recognize and respond to threats appropriately. Like any other skill, practice increases proficiency, ensuring cybersecurity practices become second nature.

When planning, watch out for the big pitfall: human nature. Then, don't policy it; plan for it.

Tip #1 Don't create barriers to job success: Ultimately, employees care about their jobs, career advancement, and employment security. Ignoring or circumventing cybersecurity protocols will be tempting if seen as obstacles to their day-to-day work. Instead of enforcing rigid rules that could disrupt productivity, focus on rules that align with employees' goals. For instance, instead of framing cybersecurity as a burden everyone must take on. Explain the consequences of non-compliance and how it can affect overall company performance. Build recognition and rewards for good compliance into compensation structures.?

Tip #2 What gets measured gets done. Track cybersecurity awareness and response capabilities with regular testing and feedback. The act of measurement will signal that this is an organizational priority and a shared responsibility across the organization.

Tip #3 Avoid technical jargon: Set people up for success by speaking their language when explaining and teaching the rules. Employees are busy, and the chance of people taking the time to figure out what the company means is slim and a waste of productive hours: state policies and all training in simple language for all to follow and easily retain.

Tip #4 Manage information overload: Make sure time, resources and recognition are focused on the correct elements and people. Messages emanating from the cyber security protocol should include general steps for the entire organization and role-specific ones. Segment messaging so that only those in corresponding roles must learn (and be tested on) relevant tasks for their job. There is only so much that people can remember. If someone works in the mailroom, they do not need to be burdened by the rules applicable only to a travelling salesforce.

Tip #5 Govern from the top: Culture starts at the top. Modelling good behaviour begins with management. This is also where responsibility must lie for a healthy cybersecurity culture. Build compensation incentives into outcomes as part of best governance practices.

Tip #6 Repetition is the cornerstone of a strong cybersecurity culture. Imagine if a school’s safety relied on the skills learned in a lockdown drill conducted once in kindergarten. There is a reason drills are repeated multiple times a year for the entire school, including at least once with first responders. Systems change, people move, threats shift. Familiarity leads to better retention, which leads to better adherence. Similarly, cybersecurity must be a continuous learning, practicing, and improving process.

Building a culture of cybersecurity requires more than just policies. It demands a strategic approach using an internal communication strategy that acknowledges human nature, delivers messages clearly and consistently, and allows employees to improve their skills as they grow. Cybersecurity is not just a technology solution – it is a people, communication, and culture-driven responsibility that shapes organizational resilience.

Wendy Kauffman is a senior communications specialist and the founder of Wendolyn Reputation Management, specializing in crisis communications, ESG communications, and spokesperson training.

Ozzie Fonseca is a data breach industry veteran who has helped tens of thousands of companies respond to cyber incidents. He is also a co-founder at Breachlink, the largest data breach response provider marketplace in North America.

#cybersercurity #corporatepolicy #crisiscommunications #cyberattack #databreach