The UK government’s latest data shows phishing attacks affected 85% of businesses that experienced security incidents<\/a>. But only 19% of UK businesses conduct regular staff training on cyber security. <\/p>\n\n\n\n We used to think the problem was that people weren’t paying attention. That if we just made the training more engaging or the warnings more visible, they’d stop falling for social engineering. We were wrong. <\/p>\n\n\n\n Most security training still focuses on spotting spelling mistakes in emails and avoiding suspicious links. That may have worked in 2016 but in 2026, AI-generated phishing emails have perfect grammar, reference real projects you’re working on scraped from LinkedIn, and come from compromised legitimate accounts. The old tells don’t work anymore. <\/p>\n\n\n\n Security training has to be more than compliance exercise teaching people to spot threats that barely exist anymore, more than an annual module about not clicking suspicious links. Meanwhile, attackers are using AI to generate personalized spear-phishing campaigns at scale, creating deepfake audio for business email compromise, and exploiting supply chain vulnerabilities that your team don’t even know exist. <\/p>\n\n\n\n Your team don’t resist security because they’re careless. They resist because training is abstract, outdated, and disconnected from the actual threat landscape. <\/p>\n\n\n\n Controls without context feel like obstacles, not protection. <\/p>\n\n\n\n Security policies get written by technical teams who understand zero trust architecture but don’t understand how people work. A restaurant manager closing at midnight after a 14-hour shift will approve a payment request on their phone if it looks legitimate – even if it bypasses your carefully designed approval workflows. Your manager had no way to know that the supplier’s email was compromised weeks ago. <\/p>\n\n\n\n Security policies that require cognitive effort during high-stress moments risk getting bypassed. We can call that user error or we can recognize that it\u2019s a feature of the system rather than a glitch. <\/p>\n\n\n\n Verizon’s 2025 Data Breach Investigations Report found that 60% of breaches involve a human element<\/a>\u202f- errors, social engineering, or credential misuse. That percentage hasn’t improved despite AI-powered security tools, passwordless authentication, and zero trust implementations. <\/p>\n\n\n\n The defensive technology has advanced but the offensive technology has advanced faster. And humans are still the gap. <\/p>\n\n\n\n We’ve tried changing behaviour through policy documents and annual training modules teaching outdated threat recognition. We haven’t tried helping people understand that AI has fundamentally changed the threat landscape, that the old rules about “suspicious emails have spelling mistakes” don’t apply anymore, and that verification processes exist because deepfakes are now indistinguishable from reality. <\/p>\n\n\n\n Manufacturing learned in the 1980s that you can’t make workplaces safe just by posting safety rules and expecting compliance. The companies that reduced workplace injuries built safety into the workflow itself. We have to stop trying to bolt 2026 security controls onto workflows designed for 2016 threats. <\/p>\n\n\n\n Cyber Security friction slows workflows. Humans are naturally lazy and will, by default,\u00a0optimize\u00a0for ease of execution. If you\u00a0won’t\u00a0acknowledge this tension, you\u00a0can’t\u00a0address it.\u00a0<\/p>\n\n\n\n A salesperson trying to close a deal before month-end may share a confidential proposal via personal Gmail if the approved file transfer system takes six clicks and requires IT approval. A startup founder racing toward a funding deadline will reuse passwords across platforms because remembering unique credentials isn’t the best use of her cognitive energy. <\/p>\n\n\n\n Take, for example, a boutique hotel group with four properties which installed sophisticated access controls requiring multi-factor authentication (MFA) for everything. Excellent security in theory. <\/p>\n\n\n\n But if authentication adds time over busy periods, before long staff will develop workarounds through shared credentials, sessions left open on unattended terminals, and even using the general manager’s login when guests are waiting because hers doesn\u2019t need the second authentication step (for some reason nobody understands). <\/p>\n\n\n\n Designing cyber security that aligns with workflow rather than disrupting it means asking what\u00a0your team\u00a0actually\u00a0do\u00a0all day. Where are the friction points? How do we create protection that feels invisible?\u00a0<\/p>\n\n\n\n Businesses involving front-line staff in policy design before implementation get policies that actually get followed because they make operational sense. <\/p>\n\n\n\n Cyber Security policies feel like expressions of institutional distrust. Tell someone their email will be\u00a0monitored, web browsing logged, file transfers restricted. The implicit message is “we don’t trust you.” People view security as adversarial. They look for ways around restrictions because the restrictions feel personal.\u00a0<\/p>\n\n\n\n While there are legitimate reasons to monitor certain activities, and genuine insider threats exist, if your security model assumes every team member is potentially malicious, what kind of culture and SOP are you creating? And what does that cost you in terms of good people who resent being treated like threats? <\/p>\n\n\n\n Leadership must own cyber security, not delegate it to IT. If your CEO treats security as a cost\u00a0centre,\u00a0you’re\u00a0stuck until a breach forces the conversation.\u00a0<\/p>\n\n\n\n Training that works: <\/p>\n\n\n\n People remember training delivered in their work context when they need it. <\/p>\n\n\n\n Security champions make the difference.<\/strong> Identify advocates in each department who understand both security and operational reality. Front office champions know guest service pressures. Kitchen champions understand how chefs use tablets. They spot workarounds caused by poorly designed controls. <\/p>\n\n\n\n Involve champions in security design, not just rollout. They catch workflow problems before deployment. <\/p>\n\n\n\n Celebrate reporting.<\/strong> When someone reports suspicious activity – even false alarms – thank them publicly. When someone admits clicking a phishing link, respond “thank you for reporting quickly,” not with discipline. <\/p>\n\n\n\n Punitive security drives incidents underground. Your team hide breaches for days fearing blame. <\/p>\n\n\n\n You can also track behavioral metrics: <\/p>\n\n\n\n These show whether people think differently. <\/p>\n\n\n\n Remember that “97% completed training” can mean that 97% clicked through to stop notifications. Nothing more. <\/p>\n\n\n\n Companies that train\u00a0their team\u00a0to recognize social engineering also train them well in customer service, quality control, and process adherence. The discipline is transferable. If\u00a0you’ve\u00a0built a culture where people pay attention to details, question things that seem wrong, and report problems\u00a0immediately,\u00a0you’ve\u00a0built something valuable that extends beyond security.\u00a0<\/p>\n\n\n\nPeople Keep Clicking<\/strong> <\/h2>\n\n\n\n
The Thing Nobody Says Out Loud About Cyber Security<\/strong>\u00a0<\/h2>\n\n\n\n
How To Get It Right<\/strong> <\/h2>\n\n\n\n
\n
\n
\n
\n
\n
\n
\n
\n
![\"\"](\"https:\/\/www.cardonet.co.uk\/insights\/wp-content\/uploads\/2026\/03\/cyber-security-building-a-robust-security-culture-cardonet-1024x683.png\")
<\/figure>\n\n\n\nWhat To Do Next<\/strong> <\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.cardonet.co.uk\/insights\/wp-content\/uploads\/2026\/03\/assess-your-cyber-security-culture-cardonet-1024x683.png\")
<\/figure>\n\n\n\n