Executive summary
Cyber criminals increasingly leverage sophisticated techniques, such as phishing schemes and AI-driven attacks, to exploit vulnerabilities in systems and networks.
- 43% of UK organisations experienced a cyber security breach or attack in the last 12 months.
- 30% of UK charities experienced a cyber security breach or attack during the same period.
- Of businesses or charities that experienced a breach or attack in the last 12 months, phishing attacks remain the most prevalent and disruptive type of breach or attack (experienced by 85% of businesses and 86% of charities).
As these threats continue to advance, the need for cyber security measures to match them has never been more critical.
However, technology alone cannot provide the necessary defence against these complex and evolving threats. Human behaviour also plays a fundamental role.
This statistic highlights that while humans are often targeted as the entry point for cyber attacks, they also hold the key to security resilience. It is therefore essential to focus on empowering individuals through training and development rather than subjecting them to blame.
Investing in your people can transform a vulnerability into a powerful first line of defence. At the heart of this transformation is the creation of a positive and proactive cyber culture. While a basic cyber culture enforces policies and involves occasional training sessions, a high-level cyber culture, boosted by strong leadership, goes further by embedding security conscious behaviours into the fabric of everyday operations.
By nurturing an environment where cyber security is viewed as a shared responsibility and an integral aspect of your organisation’s ethos, you can dramatically influence security behaviours and reduce your overall cyber risk.
This document explores the strategies and best practices necessary to enhance security behaviours, mitigate cyber risks, and build a resilient, positive cyber culture.
The rising cyber security threat
As organisations continue to expand their digital infrastructures, integrating cloud computing, IoT devices, and AI-driven technologies into their operations, they inadvertently increase their exposure to cyber threats. Cyber criminals are evolving their tactics, utilising advanced techniques such as spear-phishing, ransomware, and zero-day exploits to infiltrate even the most secure networks.
The human element in breaches
Recent studies, such as the Verizon Data Breach Investigations Report (DBIR), show that many security breaches are attributed to non-malicious human error. These errors can range from clicking on a malicious link in a phishing email to misconfiguring security settings.
With a considerable portion of breaches linked to human actions, it shows that, despite their best intentions, employees can inadvertently become a gateway for cyber criminals.
Rather than using this reality to apportion blame, use it as an opportunity to reflect on the complex and challenging environments in which your employees operate daily.
Limitations of technical controls
While technical controls such as firewalls, intrusion detection systems, and email filters are essential components of a robust cyber security framework, they are not infallible. These and other measures are designed to detect and block known threats, but as cyber criminals continue to refine their methods, these defences can be circumvented.
For example, sophisticated phishing attacks can bypass email filters by mimicking legitimate communications, while advanced malware can evade detection by exploiting unknown vulnerabilities. The limitations of standard technical controls demonstrate the necessity of fortifying them with a strong focus on the human aspect of cyber security.
As cyber threats grow in sophistication, it is essential to recognise that technology alone cannot provide a foolproof shield. The human factor remains a-critical. Enhancing awareness, providing quality training, and promoting the overall cyber culture within your organisation are key to risk mitigation and strengthened defences.
The human element in cyber
Cyber criminals often target individual employees because human vulnerabilities are perceived as easier to exploit than technological defences. Unlike systems that follow set rules and protocols, human behaviour is varied and unpredictable, making it ideal for exploitation.
Cyber attackers understand that even the most advanced security systems can be bypassed if they’re able to trick a person into granting access or revealing sensitive information. This insidious approach preys on the human traits of trust, curiosity, and a desire to be helpful, making it more cost-effective for the attackers and increasing their likelihood of “success".
Phishing emails:
Typically attempt to deceive recipients into clicking on malicious links or providing sensitive information.
They are one of the most common and effective methods of cyber attack, with 93% of organisations reporting at least one phishing attempt in the last 12 months.
Vishing:
Involves attackers using phone calls to impersonate trusted entities, persuading individuals to divulge confidential information or perform actions that compromise security.
AI-driven impersonations:
Use artificial intelligence to create realistic audio or video content that impersonates senior executives or trusted colleagues to manipulate individuals into taking harmful actions.
The impact
Phishing emails bypass technical defences by evading email filters. In the first quarter of 2024, almost 60% of malicious messages reached corporate inboxes and attempted to steal login credentials.
In 2024/2025, the mean average financial cost to UK organisations of the most disruptive and successful attack stood at £6,120. Without a vigilant and well trained workforce, organisations remain vulnerable to phishing emails and the severe financial and reputational damage they inflict.
However, the human element in cyber security can be a shield as much as it can be an entry point.
By understanding why individuals are targeted and recognising the common threat vectors, you can equip your employees to detect and resist these attacks as part of an upgrade to your entire cyber security posture.
Current organisational approaches to cyber security
Organisations have traditionally relied on a combination of periodic training sessions, a strong IT department, and investments in technical controls to manage their cyber security. Strategies often include annual or biannual training modules designed to educate employees on the basics of cyber security, such as identifying phishing emails or best practices with passwords.
Meanwhile, IT departments are typically tasked with maintaining the organisation's security infrastructure and implementing firewalls, intrusion detection systems, and other technical defences. Many organisations also invest heavily in software solutions and hardware to safeguard their networks against external threats.
Why these measures fall short
While traditional measures provide a foundational layer of security, they fail to address the evolving nature of cyber threats. One significant gap is the content and frequency of training sessions.
Reliance on outdated training materials that don’t cover the latest threat vectors, such as AI-driven attacks or advanced social engineering tactics, is commonplace.
Moreover, these training sessions are often sporadic, meaning they fail to provide the continuous education and reinforcement needed to ensure good cyber security practices.
Another critical issue is the over-reliance on IT departments and technological solutions. Essential components of a robust cyber security strategy though they are, they can also create a false sense of security.
It is customary for organisations to assume their investment in technology is sufficient to protect them from all threats, overlooking the fact that human error remains a grave vulnerability. The result is complacency and a lack of emphasis on the importance of cultivating a proactive, organisation-wide cyber security culture.
In response to failing security measures and increasingly sophisticated threat vectors, organisations are doing their research. The Cyber Security Breaches Survey reports that 92% of medium organisations and 96% of large organisations consider cyber security a high priority for senior management. Cyber security is being viewed as a strategic as well as a technical issue, requiring attention at all levels of the organisation.
Despite this increased awareness, effective implementation remains a challenge. The failure to integrate continuous education, update training content regularly, and create a culture that prioritises security over convenience is prevalent across the corporate world.
Indeed, in a recent Boxphish survey of IT leaders, 95% agreed that the human risk element of a cyber strategy is ‘very important’. Nevertheless, almost half (42%) conceded that the human risk element of their existing strategy could be improved.
Despite recognising the significance of human risk, these organisations (for reasons that likely include a lack of resources, tight budget restrictions, or stretched IT teams) are struggling to find ways to mitigate the risk effectively.
Similarly, 53% of respondents accepted that they ‘could do better’ when asked if they have a positive cyber culture within their organisation. Making the necessary improvements requires leaders to move beyond the provision of periodic training and isolated technical solutions towards adoption of a more holistic approach. An approach that includes continuous education, employee engagement, and a deeply embedded cyber culture.
Only by addressing these gaps can organisations mitigate the human risk element so often exploited by contemporary cyber threats and which never stop evolving in their complexity and sophistication.
The need for continuous cyber security awareness training (C-SAT)
Continuous cyber security awareness training (C-SAT) is a modern approach to educating employees about the cyber threat landscape. Unlike traditional methods that rely on infrequent and obsolete training sessions, C-SAT involves regular, ongoing education designed to keep employees consistently informed and engaged.
By integrating training into employees’ daily or weekly routines, C-SAT ensures that cyber security awareness becomes a sustained priority and is far more effective in building a proactive, resilient cyber security culture.
Benefits of regular training
C-SAT delivers regular, short, and focused training sessions that keep employees upto-date with the latest threats and best practices. These bite-sized training modules are less likely to overwhelm employees and can be easily integrated into their work schedules. Regular exposure to current cyber security information also helps maintain high levels of vigilance so employees are prepared to recognise and respond to emerging threats.
Crucially, continuous training puts security front and centre in the minds of employees when undertaking their daily responsibilities rather than it being an afterthought.
Phishing
One of the most effective components of C-SAT is the use of simulated phishing attacks. The simulations are designed to mimic real-world phishing attempts, allowing employees to practice identifying and responding to suspicious emails in a controlled environment.
The simulations mirror the increasing sophistication of phishing emails, the threat of which was highlighted in a recent Boxphish survey which asked a sample of IT leaders whether they were confident that employees in their organisation would spot an attempted attack. Less than a third (31%) described themselves as ‘very confident’.
By experiencing realistic scenarios, employees can better understand the tactics cyber criminals deploy and develop the skills needed to avoid falling victim. Phishing simulations also provide immediate feedback, reinforcing learning outcomes and helping to correct mistakes before they lead to real-world breaches.
Data-driven impact
C-SAT platforms offer a potent advantage by providing realtime data and analytics, allowing you to measure the effectiveness of your training programmes. Metrics, such as participation rates, completion times, and the success of phishing simulations, can all be tracked.
A data-driven approach enables you to identify areas where your employees may need additional support or where training content must be adjusted to address novel threats. This ability to continuously refine and tailor the training based on actual performance data means your cyber security awareness efforts remain relevant and impactful.
Transforming your cyber culture
Cyber culture refers to the collective attitudes, behaviours, and values of an organisation's members regarding cyber security. It is the foundation upon which secure behaviours are built, ensuring that every individual within the organisation understands the importance of cyber security and naturally incorporates best practices into their daily routines.
A strong cyber culture shifts the individual’s mindset from viewing cyber security as “just an IT issue” to recognising it as a shared responsibility across the entire organisation. When cyber security becomes ingrained in the organisational culture, secure behaviours become second nature, and the risk of breaches drops significantly.
Removing the stigma
The stigma associated with making mistakes, such as clicking on a phishing link or accidentally sharing sensitive information, must be removed for a positive cyber culture to take root.
Fear of punishment can lead to the underreporting of incidents, hampering your ability to respond to threats effectively. Potential security incidents can be used as learning opportunities by creating an environment in which employees feel safe to report mistakes without fear of retribution. This approach, built on empathy and understanding, encourages open communication, promotes continuous learning, and ultimately strengthens overall cyber resilience.
The need for clear processes
A clear and well-communicated process for responding to security incidents is the cornerstone of a robust cyber culture. When employees are uncertain about what to do if they suspect a breach, valuable time can be lost, and the impact of an attack can be exacerbated.
You must establish and regularly communicate clear procedures for reporting and responding to potential security threats. Procedures should be easy to understand, accessible to all employees, and regularly reinforced through training and internal communications.
Ensuring that everyone knows their role in the event of a security incident enhances your response capabilities while instilling confidence among employees in their ability to handle such situations.
Developing communication strategies
Effective communication is critical to embedding cyber security into the organisational culture. Organisations must develop strategies to consistently communicate the importance of the cyber security processes and behaviours expected of employees.
This communication can be achieved through various channels, such as regular email updates, internal newsletters, team meetings, and even posters. It’s also important to tailor communication to different audiences within the organisation, so the messaging resonates with everyone, from entry-level staff to senior management.
Involve the c-suite
For a cyber culture transformation to be successful, leadership must champion it. Cyber security should not be viewed as solely the responsibility of your IT department; instead, it must be integrated into all elements of your organisational strategy.
When C-suite executives take ownership of cyber security, it signals to the workforce that it’s a critical priority. Leaders can demonstrate their commitment by participating in cyber security initiatives, allocating appropriate resources, and regularly communicating the importance of cyber security to the organisation.
Practical steps for cultural change
To develop a positive and proactive cyber security culture, you can take the following practical steps:
- Regular training and awareness programmes: Implement ongoing training that is relevant, engaging, and tailored to different job roles.
- Encourage open communication: Create a culture where employees feel comfortable reporting mistakes or suspicious activities without fear of punishment.
- Promote cyber security champions: Identify and empower individuals within the organisation who are passionate about cyber security to act as advocates and role models.
- Incorporate cyber security into performance metrics: Include cyber security behaviours in departmental/employee performance reviews to reinforce importance.
- Leadership involvement: Ensure that leaders are visibly engaged in cyber security initiatives and regularly communicate the significance of these efforts.
- Gamify cyber security: Introduce gamification elements, such as rewards for identifying phishing attempts, to make learning about cyber security more interactive and even enjoyable.
- Regularly review and update policies: Ensure that cyber security policies are up-to-date, reflect the latest threats, and communicate these updates clearly to all employees.
By taking these steps, you can create a cyber culture in which security becomes more than a compliance requirement and instead a deeply embedded value that guides everyday actions.
The impact of a transformed culture
A transformed cyber culture can yield wide-ranging benefits, with one of the most immediate being a reduced risk of security breaches. When cyber security becomes ingrained in daily habits and behaviours, employees are more likely to identify and avoid potential threats. A robust cyber culture also enhances your ability to respond to incidents effectively. Employees well-versed in security protocols can act quickly in the event of a breach, limiting the damage and improving the chances of a fast recovery.
The development of a more security-conscious workforce means cyber security is prioritised at all levels. Employees take greater personal responsibility for their actions and become more likely to follow best practices. This heightened awareness leads to a more proactive approach to security, where potential issues are identified and addressed before they escalate into serious threats.
Metrics for success
Several key metrics can be used to evaluate the success of cultural transformation initiatives, including:
Lower click rates on phishing emails:
A decrease in the number of employees who fall for phishing attempts indicates that awareness and training efforts are taking hold.
Increased incident reporting:
As employees become more engaged with cyber security, they are more likely to report suspicious activities or potential threats, providing you with the information needed to respond rapidly.
Improved compliance with security protocols:
As your culture shifts, your employees are more likely to adhere to established procedures, reducing the risk of breaches caused by accidental human error.
In addition to these metrics, you can track the overall reduction in security incidents over time, the speed of response to potential breaches, and employee engagement levels in cyber security training and awareness programmes.
The future of cyber security
As digital capabilities progress and cyber criminals gain access to new and powerful technologies, the importance of integrating continuous training with a strong cyber culture cannot be overstated.
Organisations that invest in C-SAT equip their employees with the knowledge and skills necessary to recognise and respond to emerging threats. Coupled with a robust cyber culture that prioritises security at every level, the risk of breaches lowers, and secure behaviours become second nature to all employees.
Evolving threats
Attackers are constantly developing new, more sophisticated methods to bypass defences and exploit vulnerabilities. As technologies such as artificial intelligence, machine learning, and the Internet of Things continue to advance, so too do the tactics employed by cyber criminals.
Against this backdrop, remaining proactive in your security efforts is crucial. Here, proactivity involves keeping up with the latest technological defences with the same commitment as continuously reinforcing an organisation-wide culture of security awareness and vigilance.
Final thoughts
Cyber security must be viewed as a shared responsibility that permeates every aspect of the organisation.
By cultivating a strong cyber culture and commitment to continuous education, you can empower your employees to act as the first line of defence against cyber threats. This will protect your organisation's assets and reputation and position you for longterm safety and success.
Ultimately, the future of cyber security lies with those who recognise the role that culture and continuous learning play in safeguarding the organisation against cyber attacks. As a leader, it is up to you to build and promote this recognition.
Next steps and recommendations
Embarking on or enhancing a cyber culture transformation may seem daunting, but you can make significant strides towards a more secure environment with a structured approach.
Step 1:
Assess the current cyber culture within your organisation through employee surveys, focus groups, and a review of existing cyber security practices and incident records. Understanding the existing attitudes, behaviours, and knowledge gaps is crucial in identifying areas requiring attention.
Step 2:
Set clear and measurable goals for the transformation. Goals should align with your overall strategy and include specific targets, such as increasing awareness of phishing threats, improving incident reporting rates, or integrating cyber security practices into daily operations.
With these goals in mind, you can then implement targeted changes, such as:
Introducing C-SAT
Revising communication strategies
Ensuring leadership involvement
It’s also essential to approach the transformation as an ongoing process rather than a one-time effort. Regular reviews and adjustments to the strategy, based on feedback and performance metrics, will ensure that the culture continues to evolve and adapt to new challenges.
Resources and tools
You don’t need to embark on the journey toward a stronger cyber culture alone. Numerous resources and tools are available to support these efforts. One such resource is Boxphish. As a leading provider of cyber security awareness training solutions, we offer a range of services designed to help organisations build and sustain a cyber security culture that’s ready to confront modern threats.
Our C-SAT platform is particularly effective in providing regular, engaging, and up-to date training content that keeps employees vigilant and informed.
Meanwhile, our phishing simulation tools allow you to conduct realistic, controlled tests of your employees' ability to recognise and respond to phishing attempts. The simulations provide valuable insights into where additional training may be needed and help to reinforce the lessons learned through training sessions.
Speak to Boxphish today
Boxphish helps organisations like yours reduce phishing susceptibility by an average of 85%. This figure was calculated by looking at the average click rate of a customer’s first simulation and comparing it following a minimum of 12-months training.
Our data shows that the average click rate on a phishing email is 19.9% on the first simulation and just 2.97% by the last. In short, regular and specialist training works.
The tailored training solutions we provide, coupled with our deep understanding of the cyber security landscape, make us an ideal partner. Together, we can ensure that your employees are aware of contemporary cyber threats and empowered to act as a strong line of defence against them.
Whether it’s through bespoke training solutions, expert consultations, or ongoing support, we are equipped to help you confront the complexities of cyber security and build a culture that prioritises security at every level.
Start your journey towards a stronger, more resilient cyber culture today by contacting Boxphish for the tools and expertise that will make a real and permanent difference.
