Strengthen Cyber Defenses by Cultivating a Supportive Workforce
Nearly 9 out of 10 data breaches are caused by employee mistakes. To address cybersecurity risks, many companies focus on direct interventions like security awareness training or hiring third-party security vendors. While these measures are crucial, they often overlook a deeper, less obvious contributor to security: the health and transparency of the company’s broader organizational culture.
Certainly, companies that emphasize specific, targeted cybersecurity measures such as security training and multi-factor authentication can reduce their likelihood of a breach. But companies with truly resilient security also cultivate a supportive culture. This environment empowers employees not only with the resources they need to perform their roles but also with a workplace where they feel genuinely valued and motivated to safeguard the company’s assets.
A strong, positive, and supportive culture that prioritizes transparency and flexibility is key to effective cybersecurity. Employees need to feel comfortable reporting errors without fear of backlash: a recent study found that nearly half of employees admit they’ve made a mistake they suspect could lead to a security risk, yet many hesitate to report these issues due to fear of reprisal. When employees feel supported in balancing their personal and professional lives, they’re more likely to stay vigilant, follow security protocols, and sustain the mental clarity needed to identify and address security risks effectively. High stress and fatigue, on the other hand, can impair judgment, leading to risky shortcuts. For instance, an exhausted employee might skip multi-factor authentication for convenience or accidentally share sensitive information through unsecured channels, unknowingly exposing the company to cyber threats.
In short, employees who feel supported, respected, and aligned with their organization’s goals are more likely to act with care and proactively raise security concerns.
"There are people that truly care and want to make this place better." - Meta employee
Unlocking the Power of Security Culture with Aniline
Using Aniline’s extensive database of company profiles, we examined a group of companies that recently experienced high-profile data breaches. By analyzing their Aniline scores across dimensions like Integrity, Leadership, and Workplace, as well as insights from employee feedback, we uncovered critical organizational issues that often contribute to security vulnerabilities. Here’s what we learned.
Aniline’s scores reflect significantly different patterns between the two groups, suggesting these quantitative dimensions capture cultural factors that contribute to the likelihood of security events. On average, compared to companies that experienced high-profile data breaches, companies with a strong reputation for cybersecurity scored:
Breached companies also experience a much greater degree of volatility in their Aniline scores over time than companies with strong cybersecurity reputations. On average, the scores of breached companies were nearly twice as volatile as the scores of more cyber-secure companies. These patterns underscore the importance of a multifaceted understanding of cybersecurity through a cultural lens.
Common Themes Among Companies with Recent Major Data Breaches
Across the breached companies, several recurring themes emerged, suggesting that cultural and structural weaknesses can pave the way for cybersecurity vulnerabilities.
Cultural Weaknesses
Leadership Disconnect and Insufficient Communication: Employees at many breached companies felt disconnected from leadership, particularly regarding cybersecurity priorities. For example, at Kaiser Permanente, employees expressed frustration with leadership’s apparent lack of urgency around security. This disconnect often left employees unclear on security goals, reducing the collective commitment to prevent breaches.
“There's no sense of urgency or clear guidance on security practices, which leaves us vulnerable.”
Inconsistency in Security Responsibilities and Policies: Dropbox employees reported ongoing tension due to unclear security roles, with teams uncertain about who was responsible for specific cybersecurity accountabilities. This ambiguity weakened the company’s response to vulnerabilities and fostered confusion rather than proactive problem-solving. At TeamViewer, employees across different regions noted inconsistent practices in meeting regulatory requirements, which created critical gaps in protection.
“It’s hard to know where responsibility for security begins and ends. Without clear boundaries, things slip through the cracks.”
Fear and Anxiety Over Mistakes: In companies with less supportive cultures, employees were hesitant to report vulnerabilities due to fear of blame or reprisal. At MITRE, employees described heightened anxiety around security, especially due to the sensitivity of the government data involved. When employees fear repercussions, even small errors can go unreported and escalate into major security incidents.
Structural Weaknesses
Outdated or Insufficient Security Infrastructure: Companies like Harvard Pilgrim Health Care and MITRE struggled with outdated systems that couldn’t withstand advanced cyber threats, leading to prolonged data exposure. Employees expressed concerns about lagging technology, which left them feeling “constantly behind” on cybersecurity defenses.
“We’re always playing catch-up with technology, and it feels like we’re fighting a losing battle.”
Inadequate Multi-Factor Authentication (MFA): Basic security controls like MFA were inconsistently implemented at companies like Change Healthcare and Dropbox, where weak MFA practices increased exposure to unauthorized access. Employees cited MFA as a crucial measure that could have significantly reduced vulnerability.
Weak Incident Response and Crisis Management: Delayed or insufficient responses to breaches worsened their impact. At US Postal Service and LoanDepot, employees reported an absence of clear protocols for handling breaches, leading to confusion and eroding trust among employees and customers alike.
Over-Reliance on Third-Party Vendors: Several companies struggled with vulnerabilities tied to third-party providers. AT&T and Ticketmaster were both compromised due to vendor weaknesses, exposing vast amounts of sensitive customer data. Employees expressed frustration over limited oversight of these third parties, which ultimately increased the companies’ security risks.
Common Themes Among Companies with Strong Cybersecurity Reputations
In companies with strong cybersecurity reputations, we observed several key practices that reflect a proactive, supportive, and collaborative approach to security.
Proactive and Comprehensive Training Programs: These companies consistently invest in ongoing cybersecurity training. At Walmart, employees highlighted regular training and cybersecurity awareness initiatives, which helped reduce human error. Apple and IBM employees also cited comprehensive training programs that emphasize not only technical skills but also vigilance in data handling.
Strong Leadership Engagement in Security Culture: Employees at Cisco and JPMorgan Chase described how leaders actively champion cybersecurity, fostering a company-wide commitment. For example, Cisco conducts regular “security town halls” to update employees on threats and policies, reinforcing the collective commitment to security.
Clear Communication Channels for Security Concerns: Positive companies prioritize open communication, encouraging employees to report issues without fear. Google employees appreciated an “open-door policy” that ensured prompt responses to security concerns, while employees at Bank of America felt empowered to raise security issues, knowing their feedback would be valued and acted upon.
“We feel empowered to speak up and know we’ll be heard.”
Collaborative Environment and Peer Support: These companies foster a culture of teamwork and shared responsibility for security. At Meta, cybersecurity is framed as a team effort, with peer-based challenges to reinforce secure practices. This collaborative approach builds collective accountability and reduces the likelihood of accidental breaches.
“The people you get to work with are bar none the smartest ones I've ever had the chance to collaborate with on solving security problems.”
Investment in Cutting-Edge Technology: Employees at companies like Tesla and Microsoft describe their employers as leaders in adopting advanced security technology. Microsoft leverages the latest encryption standards and regularly upgrades systems, while Tesla emphasizes cybersecurity innovation to align with its technological advancements, keeping pace with evolving threats.
Incentives for Security Best Practices: To promote secure behavior, several companies offer incentives. For example, Goldman Sachs rewards employees who actively contribute to security improvements, such as by identifying vulnerabilities. This approach reinforces good security habits and encourages continuous vigilance.
This analysis shows that companies excelling in cybersecurity don’t just rely on technical measures—they cultivate a culture where security is everyone’s responsibility. Through consistent training, strong leadership engagement, open communication, and cutting-edge technology, these companies build a resilient cybersecurity posture grounded in organizational health.
