How to Build a Cyber Security Culture and Make It Stick

Time to make a change…

In 2018, the UK implemented the General Data Protection Regulation (GDPR), replacing the previous Data Protection Act (DPA). The GDPR introduced stricter guidelines and penalties, aiming to provide individuals in the EU with greater control over how their data is used and stored by companies worldwide.

Under GDPR, organisations must report data breaches to the Information Commissioner’s Office (ICO) within 72 hours. Affected individuals must also be notified without delay. This requirement exposes businesses to potential negative publicity and loss of customers, in addition to the challenges of addressing and rectifying the breach.

In 2024, the ICO has observed a notable increase in data breach notifications, with over 20,000 incidents reported in the past year alone. The average fine for GDPR violations has also risen, now averaging around €2.1 million. The cumulative total of GDPR fines is now approaching €5 billion, emphasising the urgent need for strong data protection measures.

The problem at hand…

A strong cyber security culture can be the most effective tool against cyber threats and also one of the most cost-effective. But despite its importance, only 18% of UK businesses have provided some sort of cyber security training to staff, according to the latest Cyber Security Breaches Survey. With such low engagement, it’s no surprise that businesses are vulnerable.

It’s rare to find a cyber-attack that relies solely on technology to break into a system. Most threats are designed to exploit the weakest link – the user. Tricking a careless or uninformed employee is often the easiest way to bypass security measures.

In the last 12 months, the most common type of breach experienced by UK businesses were:

• Phishing attacks, i.e. staff receiving fraudulent emails (84%)
• People impersonating the organisation in emails or online (35%)
• Viruses, spyware and malware (17%)
• Takeovers or attempts to take over your website social media accounts or email accounts (8%)

Many breaches occur through email due to employees’ lack of awareness, often stemming from traditional cybersecurity training being perceived as boring. This perception is reinforced by memes and jokes circulating on social media about employees rushing through their annual training. While such training may meet compliance standards, it does not promote the engagement necessary to combat cyber threats effectively.

To combat this, organisations should make training more engaging through interactive elements and real-world scenarios. By incorporating simulations of actual phishing attempts and using storytelling or role-playing, cyber security training can evolve a mundane task into a relevant and empowering learning experience.

People and culture – the cure?

Cyber security culture needs to be carefully cultivated – it won’t happen on its own. It’s essential to move beyond basic annual training and find ways to truly engage your team. Relying on IT departments alone sends the wrong message: that cyber security isn’t everyone’s job. To break this mindset, you need to actively engage your workforce. Here are some simple and cost-effective ways to do it:

• Bring everybody to the table: From the CEO to frontline staff, inclusion is key. Cyber security affects everyone, and one careless employee can negate the best systems. Make sure everyone feels responsible for maintaining security standards.
• Education, education, education: Many cyber-attacks rely on social engineering, manipulating people rather than technology. A recent report found that 30% of employees admitted to falling for a phishing email or text in the past. Education is the only true preventative measure. Using interactive end-user awareness training platforms, like KnowBe4, can make learning more engaging and less of a checkbox activity, helping employees absorb crucial information that keeps your business safe.
• Reward and recognise good practice: People respond well to positive reinforcement. Offering small rewards or bonuses for employees who follow cyber security best practices can go a long way in making them feel that security is part of their everyday responsibilities. You could conduct random checks for things like locking computer screens, or even run phishing tests to see who spots suspicious emails. The key is to foster a culture of encouragement rather than blame. Employees should feel motivated to actively participate in keeping the business secure.
• Break it down: General, long-winded meetings about cyber security often fall flat. Instead, try shorter, more frequent sessions with smaller groups. This creates space for open dialogue and questions. Webinars are another great option, providing flexibility for employees to listen in or ask questions. You can also record these sessions to use as refresher courses or for new starters. This consistent, bite-sized approach can turn a once-a-year event into a regular learning opportunity.
• Reinforce, upkeep and encourage: Changing a company’s cyber security culture takes time. It won’t happen overnight. Make sure to get employee buy-in early by talking to them about what kinds of training they find useful, and give them time to adapt to new systems. Managers and team leaders should actively support these changes. You should also make cyber security a permanent fixture in your employee onboarding process. The goal is to maintain continuous learning and awareness across the business. Prevention is always better than cure, and a well-educated workforce is your first line of defence.

A layered defence strategy

Cyber security doesn’t start and stop with user education, it’s just one part of a layered defence strategy. While employee awareness and engagement are critical, they need to work alongside advanced security solutions Endpoint Detection and Response (EDR) to monitor and respond to potential threats in real-time, and email security systems, like Mimecast, to filter out phishing attempts and malicious content before they reach your employees. These solutions work together to provide multiple layers of protection, reducing the risk of human error and stopping attacks before they can cause harm.

No single measure is sufficient on its own, but by combining ongoing end-user training with advanced cyber security tools, your organisation can significantly reduce its vulnerability to threats. If you’re ready to strengthen your defences, contact us to learn more about our cyber security services and how we can help you implement a comprehensive security strategy, including helping you implement and achieve the Cyber Essentials certification. 

Cyber security toolkit

At Air IT, we are committed to helping organisations safeguard themselves against devastating cyber attacks. Download our toolkit to gain insights into the current cyber threat landscape and discover practical strategies to enhance your protection.