The true power of a security-first culture

As the digital asset industry continues to mature, security remains a critical concern. High-profile breaches, evolving attack vectors, and increasing regulatory scrutiny have highlighted the importance of not just technical defenses, but the organizational culture that supports them.  

According to the IBM Cost of a Data Breach 2024 report, the average global breach cost has reached $4.88 million, with companies now spending $6.08 million dealing with data breaches. A security-first culture, where awareness, responsibility, and vigilance are embedded into the DNA of a company, can be a decisive factor in mitigating such risk.

Security in the digital asset space is often viewed through the lens of blockchain technology: multi-signature wallets, air-gapped storage, and advanced encryption. While these controls are vital for ensuring the operational security and integrity of custodied digital assets, they are also not a silver bullet and, as always, should be a contributing factor towards defense-in-depth. Almost all major security breaches, such as the Bybit hack earlier this year, in the crypto industry stem from traditional web2 attack vectors rather than blockchain vulnerabilities.

Why this is important is that the controls surrounding these breaches/near misses need to be of a more “traditional” nature. This includes Endpoint Detect and Respond (EDR), Web Proxy tools to scan and block malicious/uncategorized URLs, Sandbox technologies to detonate attachments and downloads, and email security controls to block payloads that regularly lead to compromise. Finally, and perhaps most importantly, a strong security culture that proactively prevents a compromise from occurring in the first place.

A security-focused organizational culture ensures that human factors are proactively addressed. In an environment where a single misstep can lead to significant financial and reputational damage, fostering a culture that prioritizes security is no longer optional; it’s essential. Employees are still, simultaneously, the weakest link and the first line of defense, and it’s vitally important to emphasize the second of these attributes whilst minimizing the first.

Building a security-first culture

Building and sustaining a strong security culture is difficult, especially in fast-growing or resource-constrained organizations. Cultural change requires leadership buy-in, consistent reinforcement, and the willingness to learn from both internal incidents and external events. It also requires balancing operational efficiency with rigorous controls, often a point of tension in fast-paced environments. Businesses looking to embed a security-first culture should focus on the following key areas:

1. Formalized incident response through planning, preparation, and distributed responsibility

A Computer Security Incident Response Team (CSIRT) demonstrates organizational maturity through its cross-departmental structure and comprehensive workflows. This working group should have full authority to respond, restore, and allocate resources during critical incidents without seeking approval, backed by clear responsibilities that span the entire organization. From the Incident Commander who owns the entire lifecycle, to specialized roles covering regulatory liaison, production response, and operations coordination, the CSIRT distributes responsibility whilst maintaining unified command. When an incident occurs, the organization mobilizes around this proven framework where everyone understands their role and has the authority to execute it. This isn’t theoretical preparation: it’s active proof of leadership commitment to security as a shared responsibility.

2. Intelligence-informed phishing resilience

Phishing remains a primary vector for compromise across the sector. Effective approaches go beyond generic training. Campaigns should be informed by adversarial trends observed in the wider ecosystem. As phishing campaigns moved from simple credential theft to sophisticated fake security checks that run malicious commands, training programs must adapt in parallel. Sometimes campaigns should mirror active attack patterns to reinforce awareness, other times they should deliberately diverge to ensure staff remain alert. This adaptive model keeps resilience high and engagement strong, turning phishing defense into an organizational strength rather than a vulnerability.

3. Security drop-in sessions

Monthly security operations hosting open sessions attended by a significant share of the organization can prove highly effective. These should cover emerging technologies, the evolution of AI, new platforms, and how these shifts intersect with security both at work and at home. By leading with engaging, plain-language explanations of global incidents and innovations, the sessions draw in participants before addressing organizational implications, whilst also equipping staff to protect themselves personally. This investment in both organizational and individual security can transform the security function from a necessary evil into a subject staff actively seek out, with teams across the business raising potential risks proactively.

4. Positive accountability through peer reinforcement and gamification

Security awareness extends beyond formal training. For example, our tried and tested “donuts” protocol transforms device security from policy to practice; leaving an unlocked device in the office unsupervised allows a colleague to post “I love donuts” in team chat, resulting in that user bringing donuts for the office. This light-hearted approach has proven remarkably effective, creating immediate, visible consequences whilst building camaraderie rather than fear around security practices. The result? Clean desk policies and screen locking become second nature across the organization.

5. Investing in personal security beyond the workplace

Forward-thinking organizations extend their security commitment beyond office hours through comprehensive personal protection for staff. Where appropriate, organizations can provide enterprise-grade security tools for personal use, including premium privacy suites, VPN services, encrypted storage, data removal platforms, and anti-fraud markers where necessary. Additionally, providing physical security awareness training helps staff maintain personal safety and situational awareness.

This investment in individual security, whilst a direct cost to the business, creates returns through enhanced security awareness and demonstrates that protecting people extends beyond their professional responsibilities. When staff feel their employer genuinely invests in their personal digital and physical safety, they naturally become more invested in organizational security.

A long-term imperative

These initiatives can yield measurable results, with security-related escalations from non-security staff often increasing significantly once implemented. But beyond metrics, they create something more valuable: a workplace where vigilance feels natural rather than forced, and where incident response is a collective capability rather than a specialized function.

In custody, trust is everything. But trust cannot be secured by technology alone. It must be reinforced daily by people who see security as part of their role, not an impediment to it. As digital asset custodians become more central to the financial system, those with a strong security culture will be best positioned to withstand volatility, maintain regulatory confidence, and earn lasting trust from clients and partners.

The organizations that thrive won’t just be those with the best technology. There’ll be those where every employee understands that security is everyone’s responsibility, where that responsibility is embraced rather than endured, and where the entire organization can mobilize effectively when threats materialize.