Assessing Security Culture

Introduction

Security culture is one of the most critical aspects of an organization’s cybersecurity posture. Despite technological advancements in security solutions, the human factor remains the weakest link. Phishing, social engineering, and poor security habits can all lead to severe data breaches.

Recently, Silver Corp identified a growing security concern: employees increasingly using personal devices for work applications, including accessing corporate emails and Slack. This created significant risks that needed to be mitigated.

As a security consultant, I conducted a comprehensive security assessment and designed a training program to address these vulnerabilities, ensuring a safer digital workspace for Silver Corp.

Step 1: Identifying Security Risks

Before implementing any security improvements, it was crucial to understand the specific risks Silver Corp faced due to the increasing use of personal devices for work. By identifying these risks, we could develop a targeted approach to mitigate vulnerabilities and strengthen the company’s security culture.

Key Security Risks

  1. Phishing Attacks
    Employees using personal email accounts on the same devices as work applications increase the risk of phishing attacks. A single malicious link—whether in an email, text, or social media message—could compromise the entire device. Since personal devices lack enterprise-level protections, attackers could exploit this entry point to access corporate emails, Slack, and other sensitive data.

  2. Lack of Security Controls
    Unlike company-managed devices, personal phones and laptops often lack Mobile Device Management (MDM) solutions. This means if a device is lost, stolen, or infected with malware, Silver Corp has no way to remotely wipe corporate data or enforce security policies, making sensitive information vulnerable.

  3. Data Leakage via Personal Apps
    Many personal applications—including cloud storage, messaging apps, and even browser extensions—collect and transmit data in the background. Employees may unknowingly sync work documents to unsecured personal cloud accounts or share sensitive information through unencrypted channels, increasing exposure to data breaches.

Potential Attack Vectors

Beyond general security risks, several specific attack methods could be exploited due to the lack of security controls:

  • Spear Phishing – Cybercriminals could send highly targeted phishing emails impersonating trusted colleagues or IT support, tricking employees into revealing credentials or downloading malware.

  • Spoofing – Attackers could create fake login pages resembling Silver Corp’s authentication portals, stealing usernames and passwords when employees unknowingly enter their credentials.

  • Session Hijacking – If employees access corporate applications over unsecured public Wi-Fi, attackers could intercept sessions and hijack accounts, gaining unauthorized access to sensitive data.

By identifying these risks, we had a clear foundation for developing a security strategy that would educate employees, strengthen policies, and reduce the company’s exposure to cyber threats.

Step 2: Setting Goals and Involving Key Stakeholders

Once we identified the security risks, the next step was to set clear goals and engage the right stakeholders to help drive the necessary changes at Silver Corp.

Preferred Employee Behavior

The overarching goal is to discourage employees from using personal devices for work applications, unless those devices are secured with Mobile Device Management (MDM). This would help mitigate the risks of data leakage, unauthorized access, and phishing attacks.

The aim was to foster a culture where employees understand the security implications of using personal devices for work and are motivated to follow best practices for device management.

Measuring Employee Compliance

Silver Corp’s corporate servers track application login activity, logging details such as device type, IP address, and client used. A security audit uncovered that:

  • 75% of employees accessed work applications from personal devices, increasing the company’s exposure to the identified security risks.

  • The target is to reduce this number to 5% within the next 12 months through a combination of training programs and policy implementation.

Achieving this reduction would significantly strengthen the organization’s security posture and move the company closer to its desired security culture.

Stakeholders Involved

To ensure the success of the initiative, several key stakeholders were involved in both the development and execution of the plan:

  • CISO & Security Team: Present security risks to executive leadership and request budget approval for the implementation of MDM solutions and employee training programs.

  • HR Department: Help develop a new mobile usage policy, and determine criteria for work-issued devices or eligibility for MDM enrollment.

  • Procurement: Source and allocate the necessary work-issued mobile devices to employees who require them for work, ensuring that they meet security standards.

  • IT Department: Implement the chosen MDM solutions, configure the necessary security settings, and provide ongoing technical support for both employees and the security team.

  • Communications Team: Craft and distribute clear, concise materials to all employees about the new mobile usage policy and the training program to increase awareness and ensure smooth adoption.

By setting these goals and engaging the right departments, we aimed to implement changes that would be effective, practical, and scalable across the entire organization.

Step 3: Designing the Training Program

With clear goals set and stakeholders on board, the next step was to design a comprehensive training program to address the identified security risks and shift the organization’s security culture. The program was tailored to reach employees at various levels and provide both foundational knowledge and practical solutions.

Training Structure

The training program was divided into two main categories:

  1. New Employees: Receive in-person security training during the onboarding process, ensuring they understand company policies and potential security threats from the start.
  2. Current Employees: Participate in quarterly face-to-face training sessions. To ensure minimal disruption to day-to-day operations, the sessions cover 25% of the workforce at a time. Employees who violate policies repeatedly will undergo supplementary online training.

Training Modules

The training program consists of four core modules, each designed to address a specific area of risk or policy:

Module 1: Risks of Using Work Applications on Personal Phones
  • Understanding the Impact of Data Breaches: Employees learn the potential consequences of data breaches, including reputational damage and regulatory fines.
  • Real-World Case Studies: Discuss examples of security breaches caused by personal device vulnerabilities to illustrate the risks in tangible terms.
  • Personal Risks: Employees are educated on the work-life balance, data loss, and security concerns that arise when using personal devices for work, especially after employment ends.
Module 2: Simulated Cyber Attack Exercise
  • Employees are asked to connect to a controlled “public” Wi-Fi network to simulate a scenario where attackers might intercept sensitive data.
  • Facilitators demonstrate how easy it is for cybercriminals to access work emails and credentials in an unsecured environment.
  • After the exercise, there is a post-exercise discussion where employees learn about security measures like Multi-Factor Authentication (MFA), Virtual Private Networks (VPNs), and secure connections to protect their data.
Module 3: Introduction to the New Mobile Security Policy
  • Policy Overview: This module provides a detailed explanation of the new mobile security policy and its importance in reducing organizational risks.
  • Employee Categorization:
    • Office-based Employees: Must remove work applications from personal devices to mitigate security risks.
    • Hybrid Employees: Required to enroll in MDM for BYOD security to ensure personal devices meet company standards.
    • Senior Managers & On-Call Roles: These employees will be issued a corporate mobile device to ensure all work data remains secure.
Module 4: Incentives and Disincentives
  • Incentives: Employees who enroll in MDM within four weeks of the new policy being rolled out will receive a $150 gift card as a reward for early compliance.
  • Disincentives: Regular audits will enforce policy adherence, and employees found in violation of the policy will be subject to additional training sessions. Repeat offenders will be required to attend one-on-one security workshops to ensure full understanding and compliance.

Measuring Effectiveness

To assess the program’s success, we will track login activity through security audits, looking specifically at:

  • Quarterly audits to identify any policy violations.
  • Employees using personal devices for work will be required to attend additional training.
  • If the compliance rate reaches 5% or lower, the program will be deemed a success.
  • If the target isn’t met, the program will be revisited, and additional security measures may be introduced.

Final Review & Next Steps

By implementing this security training and policy, Silver Corp will significantly reduce the risk of data breaches caused by personal device vulnerabilities.

This project highlights the importance of structured security awareness programs and proactive policy enforcement. Security isn’t just about technology—it’s about the people who use it. By empowering employees with the knowledge and tools to protect both personal and corporate data, we can foster a security culture that prevents breaches before they occur.