Canadian Security Magazine

Building a Resilient Cyber Security Culture

By Julie Jeffries   

News microsoft
Sponsored by Microsoft

As the cyber risk landscape evolves, frameworks and technology controls alone are not enough to guard against the costly risks. Creating a resilient cyber security culture, must start with a human centric approach. No one in your organization actually wants to put the company at risk, but, with a lack of cyber awareness coupled with complicated security procedures, the harder it is to avoid.

Building a security culture is more than just cyber security awareness. A resilient cyber security culture’s workforce knows the security risks, the processes to avoid that risk and the organization operating process that keeps the company safe.


Empowering Your First Line of Defense

At the core of an effective cyber security culture is acknowledging that people are truly your first line of defence and best response to cyber-attacks.  Despite the statistics, when logged into the corporate network, our individual confidence of not falling victim to attacks boarders on superhero levels. According to a Verizon, 22% of data breaches in 2021[1] were caused by insider incidents.

Boosting and enhancing end user knowledge of security threats—like ensuring they understand phishing and the signs of subtle attacks—go a long way to increasing the eyes and ears of the security team, especially as a “tip of the spear” strategy, where end users are often an entry point for an attack.

  • Building a Security Aware Culture – Creating security awareness training program that is more than just once-a-year training that your employees click through to meet organization requirements, will do much more in creating a security aware culture then just clicking a box. Implementing cyber awareness training that is easily consumed modules and delivered throughout the year, not only increases the knowledge retention, but also demonstrates the higher importance for the organization. A strong awareness training program supports education on security risks by keeping employees up to date with the latest types of cyber attacks and how to recognize them. It also importantly educates employees the on the organization cyber safe processes to avoid risk for data, user access and the practices to follow in case of a cyber breach or data leak.

Leveraging these best practices Microsoft has developed a cyber awareness training kit to support organizations in cultivating security awareness with their employees, access here at no cost.

  • Empower Your Employees to Defend Against Phishing Attacks – With 7 phishing attacks occurring every single minute[2], it is not surprising that most security leaders are concerned about their phishing risk across the organization. Implementing attack simulation training practice within an organization first can help leaders understand the phishing risk across their organization, and then measure risk reduction progress against a baseline.  By leveraging real phishing simulations and interactive hyper targeted training, organizations can

You can get started by participating in October in the Gone Phishing Tournament or by accessing Attack Simulating Training as part of Defender for Office 365 for your organization


Cyber Hygiene

The more complex organization security procedures are, the harder it is for employees to follow and greater risk it won’t get done properly or at all. Integrating security solutions into the productivity procedures your employees use each and every day, such as passwordless authentication, reduces the risks of missing complex procedures.

With basic security hygiene protecting against 98% of attacks[3], prioritizing these foundational cyber best practices can prevent the most common lines of attacks.

  1. Enable Multifactor authentication – Weak login credentials can provide attackers with easy entry to gain unchallenged access to corporate resources. MFA adds an additional layer of defense by requiring users to provide two or more forms of authentication to access an account.
  2. Apply Least Privilege access – Prevent attacks from spreading across the network by applying least privilege access principles that limit user access with just in time and just enough access, risk based adaptive policies and data protection to help secure both data and productivity.
  3. Keep up to date – Mitigate the risk of software vulnerabilities by ensuring your organization’s devices, infrastructure and applications are kept up to date and correctly configured.
  4. Utilize Antimalware – Stop malware attacks from executing by installing and enabling antimalware solutions on endpoint and devices.
  5. Protect Data – Implement information protection best practices such as applying sensitivity labels, and data loss prevention policies.

To better understand your current security hygiene, leverage tools like Microsoft Secure Score, which enables you to easily assess your security posture across identity, devices, information, apps and infrastructure.

With any significant organization transformation project, it requires active participation from senior leadership, and creating sustained cyber security culture shift is no different. Gaining alignment of support for cyber security culture across organization leadership teams, and together proactively role modeling the behaviors is an important part shifting the culture.

Strengthening your cyber resilient culture does not happen overnight and it is a continuous journey that all organizations are on as we continue to move forward in this rapidly changing threat landscape.

Additional Resources to support your journey to building a resilient cyber security culture,


[1] Verizon 2021 Data Breach Investigations Report


[3] Microsoft Digital Defense Report 2021


Julie Jeffries is the Director, Security Business Group, Microsoft Canada.

Print this page


Stories continue below


Leave a Reply

Your email address will not be published. Required fields are marked *