How to Build a Culture of Cybersecurity Awareness Considering the Naija Factor

--

Cybersecurity awareness is an active force within every company’s culture. It serves as the quiet sentinel guarding each email opened, every password chosen, and every system login attempted.

If you have ever doubted the reality of the cyber threats, you need not look further than the past 4–6 weeks. Major financial institutions including FCMB , sterling bank, even the Corporate Affairs commission(CAC) was breached. Cyber threats are not theoretical affairs or case studies but our daily realities.

The risk is universal, from ransomware attacks on multinational corporations to phishing scams targeting small business owners. Yet despite billions spent annually on cybersecurity tools, most breaches still happen because of one thing: human error. In Nigeria specifically, we are resistant to change and very stubborn

Proofpoint’s 2024 Voice of the CISO report found that three in four (74%) chief information security officers (CISOs) said human error was their top cybersecurity risk. This reveals significant growth from last year’s 60% of CISOs expressing this sentiment. The study also found a key gap between CISOs and the boardroom. Board members were less likely (63%) to point to human error than CISOs, which shows that CISOs should focus on educating leadership as well as employees.

Several of the top causes for data loss events in the survey were related directly to employees. The top response (42%) was negligent insider/employee carelessness, such as an employee misusing data. Other reasons included a malicious or criminal insider (36%), stolen employee credentials (33%) and lost or stolen devices (28%).

The IBM 2024 threat index supports this finding, indicating that 30% of attacks start with phishing. However, phishing attacks are down from 2022, both in volume and as the initial attack vector. The report points to the continued adoption and reevaluation of phishing mitigation techniques and strategies as one of the reasons for the reduction.

Organizations must take a proactive approach to cybersecurity, which includes providing training so employees can learn safe practices while also setting up processes that reduce risk.

Building a culture of cybersecurity awareness is, therefore, not a technical initiative; it’s a human one.

What is Cybersecurity Awareness?

Press enter or click to view image in full size

Most organizations confuse awareness with training. They think a once-a-year online quiz is enough. It’s not.

Proper cybersecurity awareness is a continuous cultural process: a shared mindset where every individual feels responsible for protecting the company’s digital assets and understands their role in promoting security.

It involves education, communication, behavioral reinforcement, and leadership alignment. It’s less about teaching people what to do and more about helping them understand why it matters.

When employees see cybersecurity as part of their job, not an IT problem; everything changes.

The Human Shield: Why Awareness Must Complement Technology

Press enter or click to view image in full size

You can have a suit of technical security controls ala firewalls, endpoint protection, and encryption in place. But if an employee clicks a malicious link disguised as a legitimate communication, all that investment collapses in a second (note: there are technical security controls that are put in place to block phishing emails and malicious links).

This is why awareness must sit alongside technology as an equal pillar of any security strategy. Security awareness training equips employees to recognize red flags — suspicious emails, unusual login requests, unsolicited USB drives. It cultivates a culture where security is everyone’s responsibility, not just the IT department’s concern. When staff understand why certain behaviors are risky, they are far more likely to act with caution.

But awareness is not a one-time checkbox exercise. Threat actors evolve continuously, and so must human knowledge. Regular simulations, phishing drills, and updated training ensure that vigilance doesn’t decay over time. The goal is to build instinct in a workforce that pauses before clicking, questions before sharing, and reports before ignoring.

Technology and awareness are not competing investments; they are complementary layers of defense. Firewalls stop known threats at the gate. Informed humans stop unknown ones before they even arrive. Together, they form the most resilient security posture an organization can build — one where the human, once the weakest link, becomes the strongest shield.

Why Teams Struggle to Build a Cybersecurity Culture

Many well-meaning organizations fail to make cybersecurity awareness work. I have experienced this in multiples organizations I worked with or consulted for.

They roll out compliance training that’s dull, technical, and detached from employees’ daily work. They punish mistakes instead of rewarding vigilance. They treat security as a project, not a philosophy.

The result? Employees tune out. Awareness fades. Vulnerabilities grow.

A culture of cybersecurity awareness thrives only when it is consistent, inclusive, and psychologically safe. People must believe they can report mistakes without fear and that their actions genuinely make a difference.

The Stakes Are Higher Than Ever

Cyberattacks have become more creative, more targeted, and more damaging.

• Statista reveals that in 2023, roughly 7 in 10 global cyberattacks were ransomware, with over 317 million attempts recorded.
• Another report by Statista states that the total amount of money received by ransomware actors was $1.1 billion in 2023, an increase of 140% from $457 million in the prior year.
• That’s not all. The FBI’s 2024 IC3 Report revealed that in 2024, the IC3 received 3,156 complaints (up 11.7% from the previous year) identified as ransomware attacks with adjusted losses of over $12.4 million. This reflects the financial impact that ransomware incidents continue to inflict on businesses.
• Phishing remains the number one attack vector, responsible for over 36% of all breaches.

But beyond financial loss, a breach affects the trust with customers, partners, and employees alike. In the era of remote work and hybrid teams, trust is valuable currency.

That’s why cybersecurity awareness is no longer optional. It’s essential.

Building a Cybersecurity Awareness Culture: Step-by-Step Guide

Press enter or click to view image in full size

It would be amiss of me to preach cybersecurity awareness culture without sharing what has worked for me (tbh this is at a large school and medium scale enterprise level, with an enterprise I am still finding my footing). I will be sharing a step by step guide in the next section

Step 1: Leadership Commitment sets the tone

Press enter or click to view image in full size

No awareness initiative can survive without leadership buy-in. Employees look to leaders for cues on what matters.

When executives talk openly about cybersecurity in meetings, participate in training, and share stories of vigilance, it sends a powerful message: security is everyone’s business.

Leaders must model the behaviors they want others to adopt , using multifactor authentication, reporting suspicious emails, or following clean desk policies.

According to Gartner, companies with visible leadership participation in cybersecurity programs see up to 50% higher employee engagement rates in awareness activities.

Culture cascades from the top down.

Step 2: Make Awareness Personal and Relevant

People engage when they see relevance. Making cybersecurity personal brings home the fact that it is not just the corporation getting hit, but real people sited around them, friends, families and acquaintances alike.

Show employees how cyber threats can affect not just the organization but also their personal lives: stolen credit card details, identity theft, or compromised family data.

Using real-world examples drives home the point:

• A phishing email pretending to be from HR.
• A text scam targeting delivery confirmations.
• A fake LinkedIn message asking for credentials.

I usually begin the engagement by asking the people to share an experience of when they were scammed. This serves as a few things:

• And ice breaker
• Opening the space for the people to be vulnerable
• Showcasing the real lives that have been affected

There are people in the set that have never experienced any successful cyber attack, at the end if this exercise, they are able to visualize the threat, and internalize the lesson.

Cybersecurity awareness campaigns that link security habits to personal protection create deeper, longer-lasting behavior change.

Step 3: Train Continuously, Not Occasionally

Cybersecurity awareness fades quickly. Studies show that employees forget 70% of training content within a week if it’s not reinforced.

The solution? Continuous learning.

Microlearning (short, focused modules of 5–10 minutes) keeps cybersecurity top of mind without disrupting workflow. Combine it with engaging formats like quizzes, interactive videos, and gamified challenges.

For example, I used the platform Knowe4 for continuous learning, and they have gamified learning that promotes fun and reinforces memory retention. They also have video series that employees found very engaging, especially the “insider threat” a show on social engineering.

Step 4: Simulate Real Threats

Press enter or click to view image in full size

Practice makes perfect, and cybersecurity is no exception.

Running simulated phishing campaigns regularly to test awareness in realistic conditions is a must. These exercises identify vulnerable areas and offer instant, personalized feedback.

However, avoid shaming employees who fall for simulated attacks. Instead, turn those moments into teachable opportunities. The goal is growth, not guilt.

Data from KnowBe4, shows that organizations running monthly phishing simulations improve resilience by up to 75% within 12 months.

Simulation turns theory into actionable daily practices.

Step 5: Communicate Creatively and Frequently

The best awareness campaigns use creativity to stay memorable.

Avoid dense policy documents. Communicate them frequently and opening. Shared them physically and digitally if you have to. Use infographics, short videos, emails, memos or memes that grab attention. Make cybersecurity visible in frequently visited areas, dashboards, and chat channels.

In my experience Knowbe4 is my platform to go. They have a suit of short videos, including infographics that can printed and pasted on walls or simply emailed to everyone.

Your communication doesn’t need to be fancy; it needs to be human. A little humor and design go a long way toward engagement.

Step 6: Create A Safe Channel for Reporting

Press enter or click to view image in full size

A strong cybersecurity culture depends on open communication.

Employees should never fear reporting suspicious activity or admitting to mistakes. Early reporting can stop a small incident from becoming a disaster.

Establishing a simple, confidential reporting process like a Slack channel, a helpdesk line, or a form. Reward quick reporting publicly.

Once again, we are building a culture here, and I am sure open and non-judgmental communication are very attractive for a healthy working environment

As Google’s former security engineer Heather Adkins once said, “Security fails when people are afraid to tell you the truth.

Step 7: Recognize and Reward Positive Behavior

Behavioral science shows that recognition shapes habits. When people are praised for doing something right, they repeat it.

Celebrate those who complete cybersecurity challenges, report phishing attempts, or help others stay secure.

One mid-sized U.S. law firm introduced “Cyber Hero Fridays,” where employees who demonstrated exemplary security behavior were highlighted in company newsletters. Within six months, security incident reporting rose by 62%.

Positive reinforcement turns cybersecurity from a rulebook into a shared value.

Step 8: Measure What Matters

Continuous improvement and harmonization of data provide the foundation of improving any cybersecurity program. You can’t improve what you don’t measure.

I advise you track data such as:

• Phishing test click rates
• Reported incidents
• Training completion rates
• Employee feedback around security culture

Visualize results in dashboards and share progress across to management. Seeing measurable improvement boosts morale and accountability.

According to Forrester Research, organizations that measure behavioral indicators, not just compliance, experience 37% fewer security incidents over time.

Data drives harmonization and optimization.

Step 9: Align Security and Business Goals

Press enter or click to view image in full size

A common notion is that cybersecurity is a barrier to productivity and innovation.

In truth, cybersecurity enables business continuity, customer trust, and innovation. Awareness programs should communicate that secure behavior isn’t restrictive, it’s empowering.

When employees understand that cybersecurity protects their work, their clients, and their company’s reputation, resistance would begin to turn into advocacy.

Always frame cybersecurity awareness programs not as a cost, but as a strategic investment and enabler of business.

Step 10: Keep Evolving with the Threat Landscape

Press enter or click to view image in full size

Cyber threats evolve constantly and so should your awareness program.

Regularly update your training materials and campaigns to reflect emerging trends: AI-powered scams, deepfake impersonations, or QR-code phishing (“quishing”).

Incorporate stories from recent global incidents to stay relevant. For example, after the 2024 MGM Resorts breach, several hospitality firms updated their training to focus on social engineering awareness.

Cybersecurity culture is never “done.” It’s a continuous evolution of habits, communication, and trust.

Common Mistakes That Undermine Cybersecurity Awareness Efforts

Cybersecurity awareness programs fail less because of lack of effort and more because of subtle, repeated mistakes. If you’re building or auditing one, these are the patterns that quietly undermine effectiveness:

Overwhelming Employees with Technical Jargon

Press enter or click to view image in full size

Avoid overcomplicated language. Translate “enable multifactor authentication” into “add a second lock to your account.” Simple, relatable communication always wins. Translate “data breach” into “exposed or stolen credentials or passwords”. Translate “Patch” into “fixes for security problems in your apps or system”.

Treating Training as a One-Time Event

Security threats evolve daily; awareness should too. Reinforce key topics quarterly, not annually, to keep employees alert and informed.

Failing to Align Security Goals with Business Objectives

When employees see cybersecurity as a blocker, they’ll find ways around it. Align awareness programs with productivity and business outcomes to ensure buy-in.

Building Cybersecurity Awareness Across Hybrid and Remote Teams

Press enter or click to view image in full size

Hybrid and remote work have permanently changed the working landscape. With employees using personal devices, home Wi-Fi, and a mix of collaboration tools, the traditional network perimeter has disappeared. Each connection now represents a new point of potential risk.

A 2024 Gartner study found that 68% of breaches involving remote workers stemmed from insecure home networks or shared devices. That statistic alone underscores why cybersecurity awareness must extend beyond the office walls.

The most effective way to maintain vigilance is through structured, ongoing engagement.

Brief virtual sessions, monthly phishing drills, and quick “cyber check-ins” can help remote employees stay alert to new threats. Encouraging managers to start meetings with a “Cyber Tip of the Week” keeps awareness consistent and approachable.

Beyond training, ensure remote teams have secure tools: VPNs, password managers, and endpoint protection, and understand why these safeguards matter. Pairing practical education with the right resources builds both competence and confidence.

Finally, make security personal. Remind remote employees that protecting company data also protects their own digital lives. When cybersecurity awareness becomes part of everyday communication, it transforms from a policy into a shared habit.

Enforce policy

Press enter or click to view image in full size

Awareness without enforcement becomes optional advice. Enforcement without awareness becomes frustration.

You need both working together.

Reinforce policy with real consequences

If users violate policies and nothing happens, awareness loses credibility.

Examples:

• Repeated phishing failures → mandatory retraining
• Policy violations → restricted access or escalation

Consistency is more important than harshness.

Conclusion

As cybersecurity strategist Bruce Schneier famously said, “Security is not a product, but a process.” That process must live inside your company culture.

Cybersecurity awareness isn’t built in a day. It’s built every time an employee pauses before clicking, verifies a sender, or reports a suspicious link.

It’s built through conversation, curiosity, and consistency.

The organizations that thrive in the digital age are those that understand that technology protects systems, but awareness protects everything else.

Building a culture of cybersecurity awareness is not just about reducing risk. It’s about cultivating trust, confidence, and resilience in every corner of your organization.

When awareness becomes habit, cybersecurity becomes culture, and culture is the best defense of all.