The latest UK Government Cyber Security Breaches Survey reveals a sobering reality: 43% of UK businesses experienced a cyber security breach or attack in the last 12 months. Yet many organisations still treat cyber security as purely an IT department responsibility.
It’s a mindset that creates dangerous vulnerabilities which could prove costly for your business.
The Current State of Employee Security Culture
The numbers tell a clear story about the scale of the challenge we face. The survey estimates that approximately 612,000 UK businesses and 61,000 charities identified a cyber breach or attack in the past year.
When we look at the human element specifically, phishing attacks remained the most prevalent type of breach or attack by far, experienced by 85% of businesses and 86% of charities that faced incidents. It just goes to show why a comprehensive approach to workplace security culture is essential: cyber threats don’t discriminate by department, and neither should your defences.
Why You Can’t Afford to Treat Security as Someone Else’s Problem
Many business leaders underestimate the true impact of cyber incidents. The average self-reported cost of the most disruptive breach for businesses was £1,600, rising to £3,550 when excluding zero-cost responses. However, the financial impact represents just the tip of the iceberg.
Around three in ten businesses that experienced breaches reported being impacted in ways beyond direct costs, including additional staff time to deal with incidents, new protective measures, and disruption to day-to-day work. The ripple effects extend far beyond what appears on a balance sheet.
Just think about it. In a single cyber incident, all these departments could be affected:
- Finance teams face disruption to payment processing and financial reporting
- HR departments deal with employee data protection concerns
- Sales teams lose customer trust and revenue opportunities
- Operations staff struggle with system downtime and workflow interruptions
This cross-departmental impact is why cyber awareness training for businesses must involve everyone, not just technical staff.
Breaking Down the Barriers to Cyber Responsibility
Too often, organisations create artificial boundaries around security responsibilities. The government survey reveals that only 27% of businesses had board members taking explicit responsibility for cyber security as part of their job, and this figure has been declining since 2021.
The growing disconnect between leadership and cyber security creates a culture where employees, seeing the example the C-suite are (or in this case, aren’t) setting, view security as someone else’s concern.
This McKinsey piece echoes this idea, noting how companies still fall into the trap of treating IT and security as “not my problem” rather than shared business responsibilities. This is a serious hindrance for businesses because when security becomes siloed, you lose the collaborative vigilance needed to protect against modern threats.
Well-defended organisations move beyond simple “partnering” between business and IT to genuine co-leadership where both sides share accountability for outcomes.
Practical Ways to Improve Employee Cyber Security
The survey data shows that staff training and awareness-raising activities were more prevalent in large businesses, with 76% of large businesses providing training compared to 19% of businesses overall. This disparity suggests significant opportunities for improvement, particularly in smaller organisations.
1. Start with Leadership Engagement
Ensure senior management visibly champions security initiatives. Include cyber security updates in regular management meetings, and allocate appropriate budget and resources for training programmes
2. Make Training Relevant and Regular
Conduct monthly mini-sessions rather than annual marathons. Incorporate hands-on exercises and simulated scenarios, and use real examples from your industry and region
3. Measure and Monitor Progress
Conduct regular phishing simulation exercises and monitor incident reporting rates and response times. Don’t forget to gather feedback to continuously improve your employee security awareness programmes.
Making Security Personal and Practical
The most effective workplace security culture emerges when employees understand how their actions directly impact colleagues, customers, and the organisation’s mission.
Building Personal Investment
Help your team understand that improving employee cyber security protects:
- Their colleagues’ personal information and job security
- Their ability to access files and do their job
- Customer trust and business relationships
- The organisation’s reputation and future viability
Practical Daily Actions
Encourage simple but effective habits like these:
- Pause before clicking links or opening attachments
- Verify requests for sensitive information through alternative channels
- Report suspicious activities promptly without fear of blame
- Keep software and systems updated according to company policies
- Use strong, unique passwords and multi-factor authentication
How to Improve Cyber Security Awareness Across Every Department
In Finance and Accounting Teams:
Train staff to recognise fraudulent invoice requests and payment redirection scams and implement verification procedures for unusual payment requests.
Establish secure communication channels for financial confirmations and regularly review and update banking access controls
In Human Resources:
Develop protocols for verifying employee identity changes, plus secure personal data handling and storage practices.
Create incident reporting procedures that protect employee privacy and establish clear guidelines for remote work security.
In Sales and Marketing:
Educate teams about social engineering tactics targeting customer data and establish protocols for handling sensitive prospect information.
Train staff on safe social media and online presence management, as well as secure customer communication practices
In Operations and Administration:
Create physical security awareness alongside digital security. Establish visitor management and access control procedures, train staff on secure disposal of sensitive documents, and implement clean desk policies and device security practices
Strengthening Security Culture in Your Business Is a Long Game
Creating lasting change requires more than occasional training sessions. The government data reveals concerning gaps in organisational preparedness: only around one in three businesses had guidance for when to report a cyber breach or attack externally.
Be sure to:
· Establish straightforward reporting procedures and safe spaces for mistakes
· Define security roles and accountability measures for every position
· Integrate security considerations into job descriptions and performance reviews
· Learn from incidents and adapt training based on evolving threat landscapes
· Maintain regular communication about emerging threats and policy updates
Don’t Forgo the Technology Foundation
While culture and training form the backbone of effective cyber security, appropriate technical controls provide essential support. The survey suggests there’s significant room for improvement: adoption of more advanced controls like two-factor authentication remains at only 40% for businesses.
However, simply implementing these technologies alone won’t suffice. As we discussed in this blog, the security landscape has evolved significantly, and MFA is no longer enough on its own. Modern threats require layered defences that combine technology with human awareness.
Moving Forward Together
Cyber security threats continue evolving, but so do our collective capabilities to address them.
Success requires treating cyber security as a shared organisational value rather than a technical department’s exclusive domain. When every employee understands their role in protecting the business, you create multiple layers of human intelligence that complement your technical defences.
Ready to build a stronger security culture from the inside out? Speak with James about practical next steps for your team.
