Security Culture – Does Your Organisation Have It?


Written By Matt Hanmer Managing Director of Infoblox, Australia and New Zealand.

With 63% of Australian respondents citing phishing as the biggest attack vector, human error still seems to be the weakest link in the security landscape. So what we can we do about it? We can only build the defences against cyberattacks so high, and as technology is ultimately there to serve humans, there is always going to be the vulnerability of human behaviour that technology can’t overcome.

With this in mind, I believe organisations need to adopt a new ‘culture of security’ to prevent human error, and organisational culture must play a critical role in an organisation’s security and protection.

As most already know, organisational culture is hugely important to a business’s success. Work culture is the collection of values, expectations, and practices that guide and inform the actions of all team members at any given time. A collection of traits that make an organisation what it is, all the way down to its DNA.

I believe it’s time to include security in that set of values, expectations, and practices, and ensure that a ‘security culture’ is baked into organisations at the most fundamental level. Team members need to know that through their actions they are protecting not only themselves but the organisation as a whole.

So, what would be the pillars of a security culture? I believe there are six pillars that organisations must consider when building a protective culture to augment and accompany their existing cybersecurity protection, protocols, and plans.

  1. Frame of mind: Employees must have the correct frame of mind when it comes to security. Do they understand the risks to themselves and others, and do they want to do what is best for the company? What do they believe their obligations are in this area?
  2. Impact: Team members need to be aware of the real impact of not fulfilling their obligations. Do they know that even the smallest actions can have a huge impact to both their professional and personal information?
  3. Awareness: What is their understanding and awareness of the specific cyberthreats that the organisation faces, and how does this shape their view of their responsibilities and obligations?
  4. Knowledge: Employees must know why they must take precautions and follow the protocols that they do.
  5. Internal communication: It’s up to the organisation to communicate this to the team, and this communication must be effective. It can’t be left up to the employees to learn while they are already doing their job. Protocols, risks, security policies, suspicious links, passwords, and other skills must be taught effectively.
  6. Rules: Organisations need a set of rules that each team member must follow to demonstrate a culture of security. These must be easy to understand and remember, at all times.

Behaviour is key. Much of a security culture ultimately comes down to behaviour and ensuring that there is a change from risky security behaviours to safer best practice. Poor security behaviours includes badly chosen passwords, sharing passwords and reusing passwords in other places. Also discovering a security problem and assuming someone else will fix it so not doing anything about it, accessing suspicious websites, opening an attachment from an untrusted source, and not updating software when required to.

58% of Australian respondents in a recent survey reported experiencing up to five IT security incidents in the past year. The plethora of security incidents highlight a need for organisations to leverage a defence-in-depth strategy that protects every avenue and shores up weak spots in their networks. While most organisations use anti-virus for computers and SIEM to consolidate security events alerts, they could better defend their infrastructure by layering in DDI metadata, something they already have from DDI systems that connect devices on the network, to enhance visibility into network activities.

With more than 90% of malware touching DNS on the way in and out of the corporate network, organisations could also invest in a DNS security solution that uses high quality, aggregated and curated threat intelligence to help prevent users from accessing fraudulent domains or communicating with command and control sites. This preventative measure is especially helpful with many employees working remotely at least part-time. As cyber crime evolves, organisations need to continue layering defences to protect corporate assets.

For more information on Infoblox, please visit