Download free DLP for AI whitepaper


  • Human error is to blame for most of today’s breaches. Training is an obvious way to combat this risk – but it’s not working.
  • 69% of employees have received cybersecurity training from their employers, yet, when they took a basic security quiz, 61% failed.
  • It’s not that training is bad, it’s just that employers aren’t rolling out the right kind of training.
  • Rather than host one-off away days, organizations should look at deploying nudge solutions into their applications

If your employees do not follow security protocols, they are putting your data at risk. Even if you have the most expensive security solutions in place, your people can still undermine your investments.

Research shows that human error is the leading cause of 95% of cyber security breaches. A separate study found that 74% of employees have broken security rules, and a similar number (73%) fell for phishing attacks.

By nature, people are bound to make mistakes at some point – but many of these errors could be avoided if employees had a deeper understanding of security. 

Of course, we’re not saying your employees need to be security experts. That’s out of the question. They’re at work to do their job – and the security department is there to do theirs. However, given the relationship between data breaches and the bottom line, it’s fair to say that security is, to an extent, everyone’s responsibility. 

While your people shouldn’t necessarily be security experts, they should be security advocates. It appears, though, that many companies underestimate the significance of creating a robust security culture. The people domain was the weakest of the three aspects of cybersecurity – people, process, technology – according to the 2021 Hiscox cyber maturity model, but funding for training decreased 8% last year. 

Even when employees have undergone training, the results aren’t where they should be. 69% of employees have received cybersecurity training from their employers, yet, when they took a basic quiz, 61% failed.

Fostering a security culture is imperative

To combat security threats and reduce accidental data leaks, organizations need to build a security culture from the ground up. This means doing more than hosting annual training sessions. Security can’t be a tick-box exercise. You need to take a dynamic, holistic approach. 

With that in mind, here are four steadfast ways to bolster your company’s security culture: 

Make security everyone’s jobs!

In a robust security culture, every employee understands that they have a role to play in maintaining data security and protecting the organization from external hackers. This means that everyone needs to have a foundational knowledge of the threat landscape and your organisation’s unique risks. 

For example, do your employees know that your company is regularly targeted by phishing emails? Is there a process in place for them to report fraud attempts easily and quickly? Are they rewarded for helping the security team? Think about ways you can embed security processes into your operations so that employees understand its importance and feel encouraged to play their part. 

Another way to encourage a security-first mindset is to take a top-down approach. If you can get your executives to champion cybersecurity at the board level and mention it in company-wide meetings, your employees will quickly start to take note. 

Lastly, consider creating a dedicated communications channel in Slack or Teams, where it’s easy for your employees to reach out to your security and IT personnel with any questions. Rather than cordoning off the security department so they are siloed, try to bring these people into the business to have a more significant impact. 

Security needs to be cyclical, not a one-off

Too often, organizations host one-off eLearning sessions or annual away days to tick off their security training objectives. Honestly? These sessions rarely have the desired impact. Firstly, a one-day session is unlikely to have a long-term effect. Knowledge retention rates drop by more than 50% when training is more than two minutes. 

Most people won’t retain and digest a lot of information from just one class or eLearning module. While they may be security conscious for a day or two after the training, they’ll likely resume their old habits in the long term.

Secondly, these types of training don’t do much to measure how well your employees are following security protocol. While they might involve mini-tests during the session, they don’t offer a means to follow up and assess how your employees perform regarding security day to day. 

Lastly, if we’re honest, these sessions are often dull. They take away from employees’ day, which often leads to feelings of resentment towards security. This is the opposite of what you want! You need employees who champion security, not begrudge it. 

So, rather than make employee training a one-off, tick-box exercise, you need to make security awareness an ongoing, dynamic program. Ideally, your program should integrate into your employees’ workflow, as to not take them away from their daily work for too long (more on that below!) 

Focus on the ‘why’ 

Many employees know that there are various security protocols they need to follow – but most don’t understand why. For example, employees are encouraged to use unique passwords and change these passwords regularly. However, this often comes across as a cumbersome order, rather than a meaningful action that protects the company. 

To that end, rather than focusing on telling your employees’ what’ to do, explain ‘why’. Highlight how your employees’ actions can reduce your company’s risks to cyber-attacks and help them to understand that what they do matters in the grand scheme of things. 

How you do this will depend on your company’s mode of working and communications program. Some companies hold security round-ups as part of their weekly meetings. Others may choose to use Slack or email to communicate security values. In this instance, the ‘how’ doesn’t matter. It’s explaining the ‘why’ behind the ‘what.’ 

Nudge your users towards better behavior 

Research has proven that, when it comes to security, the best way to help users is to give them in-the-moment nudges about secure behavior. A simple example of this is the password strength meter, which you will often see when signing up for a new website. These meters move from red to green in line with the strength of the passcode. 

Naturally, humans want to achieve the green light, so they make strong passwords. This is an example of nudge theory in action, the science of using positive reminders to influence people towards better security decisions. 

Beyond passwords, nudges are starting to take the world by storm. Our solution, for example, incorporates nudges into popular cloud applications like Slack, Teams and Google Workspace.

As well as securing your sensitive data in real-time, our solution will alert employees if an action they’ve tried to take could harm data security. At the same time, our engine blocks the action from occurring, so data security isn’t compromised.

Over time, these in-app nudges can effectively build a data security culture by putting security front of mind for your employees – without taking them away from their workflow. In fact, we’ve found that our solution reduces risky data sharing behavior by over 70% in 1 month.

Find out more about our nudge solution now. Polymer DLP prevents sensitive data exposure across your SaaS apps without slowing your business.

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.


Get Polymer blog posts delivered to your inbox.