Fosters Unlimited

By, Brandon Foster

Introduction

Picture this; an organization runs and operates a machine shop. The IT supervisor, who has admin access to different financials due to low staffing and poor separation of duties, is over-stressed, overworked, and is constantly demanded more and more from. The supervisor is struggling and receives a call from an executive from a remote branch demanding that he quickly facilitate access to accounts payable to new staff. In a rush the employee assists in the loss of millions for the organization unknowingly. Purely out of habit in quickly fixing what’s broken and moving out of the way.  The organization takes massive loss due to the executive not even being affiliated with the organization, but a threat actor who leveraged social engineering and AI. And it worked because the supervisor was so used to being rushed and demanded things happen now. So, how exactly does work culture affect an organization’s Cyber Security threats and risks?  

Work Culture & The Unknown Risks

Work culture is important for any organization for numerous different reasons. Work culture can help maintain staff at an organization. It can ramp up profits and increase productivity among the staff. There are benefits and there are cons depending on the environment and culture that is sewn into the organization. An organization with a mindset that faster is always better and tends to rush individuals, may find themselves opening the organization up to more risks from outsiders.

To really build a stronger security posture, organizations must start looking at the culture of the company. According to Edgar Schein, there are three levels of organizational culture and those levels are as follows: Artifacts, which represent the organizational structures and processes, Espoused Beliefs and Values, which state the organizations strategies, goals and philosophies; and lastly, basic assumptions, which are the perceptions, thoughts and actual feelings of the individuals of the organization (Dimitrov, K 2013). These three levels can help build a visual idea of an organization’s work culture and make it easier to dissect where issues may be (Dimitrov, K 2013).

Now understanding these three levels, the issues fall on the third level, the basic assumptions. The basic assumptions are the deepest level of corporate culture because it is so engrained into the organization, the roots of the company (Dimitrov, K 2013). With that being stated it can take some time to make significant changes to fix the threats introduced to an organization via company culture. The basic assumptions may include assumptions like, “I am not responsible for the Cyber Security of my organization as an employee as I am not IT”. This basic assumption can lead to the root cause of breaches for an organization.

Creating a security by nature mindset is the solution for organizations facing these company culture concerns. This starts with a complete review of the basic assumptions about the organization. The following includes example questions from an independent researcher’s study in order to help gauge basic assumptions:

Source: Journal of Modern Science, https://www.jomswsge.com/pdf-156776-83352?filename=Human%20_%20the%20weakest%20or.pdf (Sidor-Rzaqdkowska, 2022)

These general questions can help organizations gauge where basic assumptions of the company by the employees may stand. So how exactly can this increase leverage for threat actors?

The Rise of Social Engineering

Social engineering is a tactic that employs the art of manipulation and other methods to specifically leverage things like company culture to exfiltrate data and information from the organization. Social engineering isn’t going away and usually relies on the general kindness of human nature. With the introduction and widespread use of AI, social engineering has seen a sharp rise. Things like Deepfakes-as-a-Service and increased phishing capabilities from AI, organizations are having to look for more ways to combat commonly used and ever-changing tactics from threat actors (Wesen, 2025).

According to IBM, in 2022, social engineering was the leading cause of an organizational breach (IBM, 2022). Organizations must take steps to learn about social engineering and how it works then look to remediate starting at the roots of the company. There are six principles of persuasion, and it helps for an organization to train their employees on them as threat actors heavily use them; Reciprocity, Commitment and consistency, social proof, Authority, A want to be liked, and Scarcity (Bravo & Toska, 2023).

These six principles will be used against an organization from an outsider threat and training to prevent them from being used is imperative to organizational security. By now organizations have seen the typical most used phishing tactic frequently, rushing employees to do something fast without telling anyone and to get it done. Something like sending an unknown address a large amount of 10$ Amazon gift cards. These tactics work, and although it’s only a financial loss, imagine if the tactic was directly tied towards a Financial Administrator with direct access to organizational funding, as seen in a recent attack on a CFO and a loss of 25 million dollars was seen by the organization (Chen & Magramo, 2024).

The Solution to Fixing Poor Work Culture

So, what is a company to do? How can they fix something that has been there since day one? Well first off, it’s not going to happen overnight. New policies and standards are created, and overnight employees don’t just actively make the decision to adhere to them. Organizations must start off slowly, gauging how willing their employees are to change. If massive changes occur with little no warning, the organization can quickly lose key employees with organizational knowledge that can’t be replaced. This will do more harm than good and can further create issues with the assumptions of the organization.

So, what is the best way to start off creating a solution individually tailored towards organizations’ company culture? Getting management assistance, support and follow through throughout the entirety of the cultural shift of the company (Sidor-Rzaqdkowska, 2022). Having management support from executives to help change company culture can really make a push in the right direction. When employees see leadership doing things they aren’t, they start to question themselves (Sidor-Rzaqdkowska, 2022). With leadership support for training and continued education, company culture can see a massive shift for the better, as well as the organization’s security posture.

Training and support are important to help shift organizations towards a safer and secure future. Organizations must understand in today’s vast world of ever-changing information systems, that the time to work, and time to learn, are no longer different from each other. They are almost one in the same. As an employee who doesn’t have time to learn the processes required by him by the organization, that employee isn’t going to adequately perform without training and support. The cost to the organization to continue to have someone incorrectly do processes can climb and those costs can be easily saved through training and continued education for the employee. This has two benefits, as the company has an employee with organizational knowledge who gets better and better at processes. But the employee is also going to feel better working for an organization that actively wants to invest in the training and education of their employees.

Conclusion

In conclusion, work culture does more than just affect employee overall morale, productivity and company profits. It can help strengthen an organization’s security posture in ways the organization may not be aware of. But company culture can also hinder an organization without them being aware. With training and education for employees, and a work culture that promotes continued learning, organizations can see a shift in their security posture. It’s important that organizations take the time to be aware of ever-changing technologies in the modern world and look to remediate the company culture that just may be the cause for their next headache.

References

Bravo, C., & Toska, D. (2023). The Art of Social Engineering. Packt Publishing Ltd.

Chen, H., & Magramo, K. (2024, February 4). Finance worker pays out $25 million after video call with deepfake “chief financial officer.” CNN. https://www.cnn.com/2024/02/04/asia/deepfake-cfo-scam-hong-kong-intl-hnk/index.html

Dimitrov, K. (2013). Edgar Schein’s Model of Organizational Culture Levels as a Hologram. Economic Studies, 22(4), 3–36. (n.d.).

IBM. (2022, June 14). Social Engineering. Ibm.com. https://www.ibm.com/think/topics/social-engineering

Sidor-Rządkowska, M. (2022). Human – the weakest or the strongest link? The role of organisational culture in ensuring security of remote work. Journal of Modern Science, 49(2), 608–620. https://doi.org/10.13166/jms/156776

Wesen, R. (2025, January 16). Beyond Phishing: Exploring the Rise of AI-enabled Cybercrime – CLTC UC Berkeley Center for Long-Term Cybersecurity. Berkeley. https://cltc.berkeley.edu/2025/01/16/beyond-phishing-exploring-the-rise-of-ai-enabled-cybercrime/