Babz Rahman
When I first started my cyber security journey, I quickly realised something fundamental: cybercriminals don’t hack technology first, they hack people. Time and again, it’s the human link that’s exploited. Reports from the SANS Institute and other cyber security leaders reinforce this: around 80% of all data breaches involve some form of human element. That’s why building a culture of awareness isn’t a “nice-to-have”, rather it’s mission-critical.
The misconception: “Cyber Security isn’t my job”
At the Department for Business and Trade (DBT), one of the first challenges I faced was a deeply ingrained misconception: cyber security was seen as “the Cyber Team’s job.” But security isn’t about a specific team, it’s about behaviour. And behaviour belongs to everyone.
Changing that mindset was no small feat. It felt like a mammoth of a task. However, I had a clear goal: to make cyber security something people care about. Because when people start saying, “I care about cyber security,” we start to see real change.
Building the programme: From compliance to culture
The SANS LDR433 Human Risk Management course gave me the structure and confidence I needed to turn this challenge into an opportunity. The SANS Security Awareness Maturity Model helped me map where the department was and where we needed to go. From being compliance-focused to fostering long-term cultural change.
We identified our top 3 human risks, and no surprise Phishing was one of them alongside data loss and public Wifi. Unlike other cyberattacks that directly target networks and systems, phishing uses social engineering techniques to expose human error. It uses fake stories and pressure tactics to manipulate victims into unintentionally harming themselves or their organisations. Phishing poses a major risk because it targets people rather than technology. Attackers don’t need to hack systems or bypass security tools, they simply manipulate individuals with legitimate access. By doing so, they can obtain money, sensitive data, or other valuable assets without breaking in themselves.
We focused on the top 3 human risks in our department relentlessly.
Throughout Cyber Awareness month, we ran 16 training sessions, and over 1,000 colleagues attended. We also had 11 external programmes, carried out by Integrated Corporate Services (ICS). ICS offers a centralised and innovative way of delivering core functions within the Civil Service – facilitating Cyber Training in collaboration with the Metropolitan Police. Over 1000 attendees is a massive achievement considering the usual challenges around getting colleagues to prioritise this learning over everything else. Yet even with these hurdles, we saw the message take root. That was a defining moment as it showed the impact of our awareness campaign.
Here are some facts to digest:
- cybercrime will cost the world £8 trillion annually by end of 2025
- there were 225 billion potential cyber threats daily in 2024
- 450,000 new pieces of malware are detected worldwide each day
These stats raised some eyebrows during our presentations and got people to sit up and take notice of the huge potential threat we collectively face. Live Threat Maps displaying thousands of live cyber attacks around the world also created some jaw dropping moments.
Lessons learned: Make it relevant, make it irresistible
One of our biggest takeaways was the power of relevance and intrigue. Sessions titled with urgency words like “hack,” “dark web,” or “breach” drew far more attention. It’s human psychology, as we’re wired to react to threat and curiosity. Our “Dark Web and Stolen Credentials” session was a standout success because it hit both, which made people connect their actions and behaviours with the huge risks involved.
We learned that good cyber security training isn’t about fear, it’s about empowerment. People want to know why security matters to them personally, not just what policies to follow. So, we made sure to include tips that people can apply for their own use. For example, although phishing emails are getting more sophisticated and harder to detect due to generative AI, the usual red flags are still there:
- urgency
- suspicious links
- unexpected attachments
- too good to be true message
- unknown sender
Looking ahead
Cyber security awareness isn’t about ticking boxes; it’s about transforming culture. We’re now moving from training to engagement through one-off sessions to continuous conversations. Because when every colleague believes “I am part of cyber security,” we shift from being reactive to resilient. That’s when real change happens.
We want leaders to lead by example. How will you model good cyber hygiene in your team? Commit to mentioning cyber security in your next team meeting. Culture starts with conversation.
And finally, what resources or tools have helped you stay cyber-aware? Post them in the comments or share with your team.
1 comment
Comment by Bince Uddin posted on
An excellent read Babz! Full of brilliant insight and plenty to take on board. You’ve underlined how valuable it is to remember that being extra careful is never a drawback. The criminals have changed their methods, we must change our attitudes and behaviours to stay protected! Thanks for sharing your knowledge !