Your Security Training Is Making Things Worse. Here’s Why

Cybersecurity incidents used to be nuisances that were disruptive but fairly limited in damages. Today, they can stop businesses in their tracks, observes Kieron Tarling, group DPO at Clarion Events.

“You have a long-time customer of 10 years. They just paid again recently, or so they thought. Then they discover they actually paid the entire amount to scammers. What do you do? There are all sorts of dilemmas that come out of those situations.”

Tarling is describing a scenario of cyber-enabled invoice fraud that successfully redirected a customer's payment to scammers. It's a stark reminder that cybersecurity vulnerabilities can emerge anywhere – making everyone in the organisation a crucial line of defence. It's no longer just the IT team's concern; cyber risk is now part of everyday business reality.

Your Weakest Link… and Greatest Asset

Employees falling for phishing or social engineering attacks often make headlines. But why do they keep happening despite widespread media coverage and stringent company policies? The reason is simple: many businesses fail to make cybersecurity relevant to their employees. 

“People are generally busy, and if you tell them they've got to keep their data secure and here's a load of policies, they'll go, 'Oh yeah, I'll do those when I remember them.' But if I say to them that you will lose your customers and you will make less money if you don't keep that data secure – they sit up and pay attention.” 

Making security personal requires building relevance into policies and ensuring individuals understand the reasoning behind them, not as indecipherable legalese, but as practical protection. "You've got to build relevance into your policy and into the delivery of that policy, to the individuals.” 

This also means customising training materials for different groups, whether HR, legal, marketing or sales. Beyond tailored training, organisations must create positive reinforcement. Tarling recommends rewarding good behaviours: “If you can show that either an individual, a team, or even an entire business unit is being good and taking privacy and security seriously, you have to reward that through recognition.” 

Leadership buy-in is essential. Tarling explains: “Where each business unit has its managing director (MD). What we're now aiming for is to give back accountability to the MDs to make sure their division is performing and is safe. We will assist by giving them the metrics they need to measure against, and it's up to them to make sure it comes from the top down; it's not just coming from the bottom up.”
 

The Cultural Shift From the Top

This top-down approach requires a fundamental mindset shift, according to Vivek Chudgar, Managing Director of Mandiant Consulting, JAPAC. C-level executives must first accept an uncomfortable truth: cyber threats cannot be completely eliminated.  

“Management needs to say, 'Getting breached is inevitable; we need to be prepared.' Until that mindset starts at the top, you can't expect it further down. That's the biggest challenge: leadership must understand the dynamics.” 

Chudgar argues that organisations must adopt an assumed breach mindset and recognise that breaches don't occur because of employee mistakes – they happen because of determined, well-resourced threat actors that only need to succeed once. 

He points to the Public Report of the COI into the cyberattack on the 2018 SingHealth data breach, for which a public report was released a year later. “There were many vulnerabilities, misconfigurations, and missteps by employees. But while these were contributing factors, they were not the reasons for the breach. The breach happened because there was a determined adversary wanting to break in.” 

This distinction is crucial. When leadership understands that adversaries – not individual errors – cause breaches, they can move away from punitive responses. “If you click a link or open an attachment, you're seen as guilty. Phishing tests focus on how many people failed, turning mistakes into personal blame. The whole approach is too focused on individual fault,” Chudgar observes. 

Instead, organisations should frame cybersecurity as a collective responsibility. Just as citizens report suspicious objects to police, employees should feel empowered to flag potential threats without fear of retribution.
 

The New Cyber Front Line

For organisations ready to shift from blame to empowerment, Tarling offers practical guidance: “Your employees are both your greatest asset and your weakest link all wrapped up in one. If you can create a culture where privacy and security are taken seriously, then they're a great asset and they will defend you as best as they can.” 

Creating a safe reporting environment is paramount. “People are very good at spotting when something's wrong and having them bring that to you in the safe knowledge that they're not going to get chastised. They're not going to get a bad mark on their record or on their team's record,” he adds. 

This approach becomes even more critical when considering the distinction between a breach and its impact. While breaches may be inevitable, the damage isn't. The real question becomes how well an organisation can limit the fallout once a breach occurs, and that comes down to how resilient and responsive its systems and people are. 

“Once you are inside, can you get to the crown jewels? Can you actually cause damage to the most critical assets? That is preventable if there are enough checks and balances at every stage – if somebody unauthorised is detected and stopped,” Chudgar explains. 

This is where empowered employees become invaluable. When they feel safe to report anomalies, they become another layer in those vital checks and balances. As organisations face increasingly sophisticated threats, success will belong to those who transform their workforce from potential victims into active defenders – where every employee knows they're safeguarding not just data, but the organisation's future.