Cyber security remains an ongoing issue for CIOs and businesses today.

According to The Culture, Media and Sport Committee, 25% of companies experience a security breach at least once a month, with the problem continuing to grow.

An increasing number of CIOs are exploring new ways to protect customers and employees from online threats. And by highlighting security issues and raising the overall awareness of security, CIOs can help combat the ever-evolving threats occurring in the workplace. 

CIO UK looks at how CIOs can raise awareness of security with comments from leading CIOs and digital experts on promoting a security culture.


In some organisations where there is no CISO, it is the responsibility of the CIO to ensure employees are trained and aware of security procedures and implications.

Training can highlight issues such as browser safety, network security and general cyber threats, which can help employees understand the risks of security, overall.

As cyber threats evolve, employees should be updated on the latest threats, this should mean they are prepared and know what malicious content to look out for.

According to the 2016 Global State of Information Security Survey, 53% of organisations have employee training and awareness programmes for protecting against incoming threats.

In order to maintain an effective security strategy, new hires should receive training sessions before joining the work environment. Exploring creative ways to deliver training through the use of animation, infographics and interactive content can help keep staff engaged and aware of security issues. (See also:

Exploring creative ways to deliver training through the use of animation, infographics and interactive content can help keep staff engaged and aware of security issues. (See also: Why CIOs should embrace a mentoring role.)

Cultural change

One of the most effective ways to improve awareness of security threats is to encourage a cultural change. A security best practice should be available throughout the workplace, as this offers employees a useful resource to drive forward the shift in attitudes towards security.

CIOs can deliver a security strategy which should underline the importance of security by explaining the risks, any personal concerns and how it will affect the business personally.

Today, employees are exposed to password theft, ransomware and malware so businesses should be promoting a security culture that can help staff members to stay safe online and recognise telltale warnings surrounding cyber attacks.

A cultural change should result in the staff’s behaviour adapting to the strategy and becoming more responsive to security protocol. This can help increase employees’ skills, attitudes and own safety when it comes to security.

TalkTalk Business COO Duncan Gooding sees security as much as a cultural thing as an IT solution.

“We have a whole cultural initiative from having training, workshops and group projects making staff aware of the types of security and risks in which we would expect in terms of best behaviour approach.”

The COO has helped change TalkTalk’s security strategy since the 2015 cyberattack, which cost the telecom company £400,000 in fines.

TalkTalk are very much going through a cultural expectance of what security means across the business post the cyber-attack,” he said. “(The strategy) is being discussed at every meeting and the fact that security is embedded in everything we do now from the process and the new products that we launch now being part of the day to day discussion.”

Employees need to understand the part they play in achieving a security strategy. Team collaboration is a great way to establish security in the workplace through planning ideas and setting budgets to help motivate and the team to deliver a cultural change. (See also: TalkTalk Business COO Duncan Gooding on security strategy since 2015 cyberattack.)

Create a strategy road map

A common result of cyber attacks has seen personal details including email addresses, bank accounts and user passwords been accessed and stolen by hackers.

The 2016 report of Culture, Media and Sport Committee, 90% of large organisations have experienced a security breach, with recent organisations such as Wonga, Three and Sports Direct having been hit by massive data breaches. 

These infamous breaches have shown a loss of public confidence and cost companies millions of pounds. Raising security awareness can obviously help ensure the company is protected from cyber attacks.

A security roadmap detailing the risk of employee’s actions when online will help protect them against common malicious content associated with document sharing, link clicking and file downloading. A roadmap will also ensure a set path is created with CIOs and employees can call upon, when needed.

Collecting information from previous reports and carrying out regularly penetration tests will help illustrate the areas CIOs need to address in order to prevent any security vulnerabilities. This can help ensure the business and its data is protected while, of course, raising awareness of security in the workplace.  

Provide secure devices

CIOs should be prepared to provide employees with safe and secure IT equipment.

Security concerns surrounding mobile apps, file-sharing and downloads have become an issue for organisations today, with employees connecting to open and vulnerable networks more often.

Device management tools such as Miradore, Spiceworks and SOTI offer an extra layer of security and remote access, meaning that if any vulnerability is detected, the systems administrator can effectively shut down the device and limit the amount of potential damage that might be caused.

As organisations are exploring new ways to protect their customers, CIO Jonathan Monk has turned his attention to information security to help protect his pupils at The University of Dundee.

“We have just deployed Microsoft Enterprise Ability Suite and key wins for that has been assuring personal and mobile devices are secure and encrypted wherever they are,” he said. “If they are accessing data from the university they can then be confident that is safe and secure," he explained.

“If they are accessing data from the university they can then be confident that is safe and secure," added Monk.

You should also consider setting out a mobile or device best practice for security to ensure you are meeting the organisation's security needs and protocol. This approach will assess employee devices to ensure they are connected to the business network safely. 

CIO 100 organisations including Raymond Brown Construction and AstraZeneca are monitoring its user devices to ensure their staff meet company procedures and follow IT policies. 

The applications and devices you want to permit can help ensure company data is protected while also educating staff on the overall risks of security. By regularly monitoring devices it can help limit organisations risks, reduce IT costs and help manage IT use.  

Read next: Best security tools for your home office 2017.