From phishing emails and credential reuse to misdirected data sharing, people continue to be both a key risk and a vital defence in cyber resilience. And the stakes are rising. As threat actors become more targeted and AI-enhanced attacks more convincing, traditional awareness training is struggling to keep pace.
So how do we create a security culture that actually works? It starts by understanding why people get caught out in the first place – and what could be done differently.
It’s easy to assume people fall for phishing or social engineering because they’re careless or unaware. But the reality is more complex.
Attackers today do their homework. They craft emails that are highly personalised, well-written, and timed to coincide with real business events. With the rise of generative AI, the bar has been raised even further, producing messages free of errors, mimicking internal tone and style, and even simulating voices or faces. This makes attacks harder to spot, even for trained professionals.
At the same time, users are under pressure. High workloads, multitasking, and decision fatigue all contribute to mistakes. People click because they’re rushed, distracted, or assume trust – not because they haven’t had training.
This combination of external sophistication and internal human factors is exactly why conventional, box-ticking awareness programmes are no longer enough.
If we want to change how people respond, we need to change how we teach. That’s where behavioural science comes in.
Nudge theory, for example, uses subtle, timely prompts to influence better decision-making in the moment. Think pop-ups that warn users before sharing sensitive data, or real-time prompts to re-check email recipients – small, smart friction that prevents big mistakes.
This approach is working. Studies show that contextual prompts can reduce risky clicks by over 40%, especially when paired with reinforcement techniques.
It’s also why gamification is gaining traction. Training that simulates real attack scenarios, including escape rooms or Capture the Flag challenges, makes learning active, memorable and emotionally engaging. People learn better when they’re doing, not just watching.
We remember what we experience, especially under pressure. That’s why experiential learning is one of the fastest-growing areas in cyber awareness.
Not everyone learns the same way. Technical staff may thrive in competitive simulations, while others need short, visual refreshers or storytelling to connect abstract threats to real-life situations.
A one-size-fits-all approach won’t cut it. That’s why the most effective programmes combine methods: policy training, phishing simulations, immersive experiences, and peer learning, all tailored by role, risk profile and learning style.
According to the UK Government’s Cyber Security Breaches Survey, less than 20% of businesses review the effectiveness of their training – and it shows. Without variety, reinforcement, and feedback, awareness drops off fast.
Security awareness is evolving – fast. These five shifts show where your focus needs to be next.
True resilience comes from creating a culture where secure behaviour is second nature across every function, not just IT.
The human layer of cyber resilience is no longer a soft topic, it’s a strategic one. Attackers are investing in better tools, sharper lures, and smarter social engineering. Your people need the same level of support.
Security awareness can’t be an annual video. It has to be ongoing, adaptive, and designed to work for the people you rely on most. Because in the end, whilst your people can be your biggest risk, they can also be your strongest defence. The difference lies in how well you equip them to play their part.
Head of Security Services
The best kind of change is often the kind you don’t notice happening. Systems run smoother, processes feel easier, people stop sighing at their screens – and suddenly everything just works a little better.
True modernisation is less about speed – and more about substance. We talk about modernisation as if it’s a race – a finish line you can cross and then move on. It isn’t.
The modern enterprise has shifted beyond recognition.
Hybrid working is embedded, cloud adoption continues at pace, and data now moves across a range of devices, locations, and applications. As this digital footprint expands, the traditional network perimeter has dissolved.
AI has altered the physics of cybersecurity. Threats now move faster than policies can adapt, and defences evolve in real time. The traditional idea of resilience – static controls, periodic reviews, and defined perimeters – no longer fits.
In an era where many students invest over £60,000 in a university education, the question of value for money has become a defining factor in university choice. But “value” is not universal.
Enterprise networks have reached an inflection point. Hybrid working is now embedded, cloud applications proliferate, and data moves continuously between users, devices and locations. UK organisations now manage more cloud identities than traditional endpoints, and more than half of enterprise traffic originates outside the office. As a result, network reliability, security and performance have shifted from operational concerns to board-level priorities.
AI is now woven into every part of cybersecurity operations. It analyses behaviour, identifies anomalies, and increasingly, takes action on its own. It’s faster, tireless, and in many cases more consistent than any analyst could be. But with that progress comes a harder question: how much decision-making are we prepared to give away?
There’s no escaping the squeeze. Demand is rising, budgets are flat, and no one’s in the mood for another “game-changing” announcement. People have heard so many promises of ‘once in a generation’ transformation that hype doesn’t hold much weight anymore.
There’s a moment every organization faces when it has to stop pretending the cracks aren’t there. The systems that don’t quite talk to each other. The processes everyone works around. The decisions that were right once — but no longer are.