With Capita just being fined £14m, Jaguar Land Rover being brought to their knees, and M&S losing approximately £300m annual profit, there’s no end to the cyber attacks we could talk about right now.
It’s relentless. It’s happening. You could be next. We beg of you, please, please take your cyber security awareness seriously.
We’re not talking about your firewalls and technical security; that’s all fine and dandy. We’re talking about humans, your people. If not properly coached, your people pose the single biggest cyber threat to your business.
And we’re not exaggerating. 95% of data breaches are caused by human error.
So how is it that everyone, even the mighty Jaguar Land Rover, is getting their cyber awareness so incredibly wrong?
Most cyber training (and, in fact, most education in general) is built around the concept of knowledge transfer. Moving information from one brain to another.
Simple? Yes. Effective? Not really.
Unfortunately, the human brain has not evolved to retain information that isn’t immediately relevant. Information out of context is far less likely to stick, which means that sitting down at a computer and completing an e-learning module all about cyber threats is going to be difficult for your employees to apply in their day-to-day lives.
If you want your cyber awareness to make a real difference, you need to consider the human factors of cyber.
People often become tired, distracted, or disengaged with their work. Even if they know the right thing to do, that doesn’t mean they always do it, especially if it takes more effort.
That’s not to say people are careless. They’re human. We all make bad calls sometimes. We click the link that looks legit. We ignore the update reminder (because who hasn’t?). We stay quiet when something feels off, because nobody wants to be the one who “caused a fuss”.
And that’s where things get dangerous. Not just in the mistake itself, but in the silence that follows it. In environments where people fear blame, or where cyber feels like someone else’s job, small errors go unreported until they explode into big problems.
If your people don’t feel like they can safely acknowledge when a mistake has been made, you’re at risk.
The way you approach cyber needs to change.
Think back to your last cyber awareness course.
You clicked through a few slides about phishing. Answered a quiz about password strength. Maybe watched a cartoon hacker in a hoodie try to steal data. And then, tick, you’re “trained”.
Poof.
Forgotten immediately. This kind of training isn’t about learning, it’s about compliance. You’re taking people away from their pressing work and pushing them through compliance modules that are important to the business, but not necessarily to them.
Real cyber awareness isn’t about learning the rules or the “best practices”. It’s about feeling something. It’s the difference between telling someone to wear a seatbelt and showing them what happens when they don’t.
Emotional connection creates memory, and memory drives behaviour.
When people can talk openly about cyber risks, share their slip-ups, ask questions, laugh about what went wrong – that’s when the message sticks. It’s not about fear or shame. It’s about ownership.
This is where human-centred design really starts to make a difference.
Human-centred design (HCD) is how you take cyber awareness and make it truly applicable to the people who work for you.
This is essential because everyone has a different experience in their working lives.
A factory technician, a marketing exec and a finance manager don’t share the same risks; they barely experience the same business, but most organisations give them the same cyber training course and hope for the best.
It’s clear to us all that this is never going to work, right?
HCD starts with empathy. We step into someone’s world and take the time to figure out what cyber really looks like for them.
Once you get that, you can design experiences that resonate. Whether that’s interactive games, conversations, or moments that make people stop and think instead of switching off.
This is the same process we followed when working with Unilever, where one member of staff so eloquently said:
“We make soup and soap. No one’s after us.”
We bet someone at JLR said something similar.
Despite this, Unilever knew that threats were real and were committed to doing something about them.
And thus, Cards Against Cyber Crime was born
The concept was simple. The results were comprehensive.
Rather than putting their people through a generic cyber training course, Unilever invited teams to play a new game tailored to their business and the specific threats they face. The game doesn’t exist in a vacuum; they use it in an ongoing way to create “safety moments” across the organisation.
The result?
The endgame isn’t just fewer mistakes. It’s a culture where people actually want to do the right thing, and they’re equipped to do so.
Sure, you can force compliance, but you’re much better off inspiring it; building emotional connection through environments where people feel safe to ask questions, raise concerns and admit mistakes early. Games like Cards Against Cyber Crime make cyber a part of the everyday conversation, not a once-per-year headache.
That’s what a security-conscious cyber culture looks like:
Because when people feel ownership of the risk, they protect not just the company, but each other.
The worst thing you could do now is bury your head in the sand. This is exactly what’s happening at organisations worldwide and, even if you’re not yet a target, chances are you will be in the near future.
Your next step should be booking a quick chat with our team of thinkers and doers. We’ll keep it casual; an opportunity for us to learn a little more about your concerns, and for you to get to know us just a little better.
When you’re ready, click the link below and we’ll be in touch.
We've all suffered through lacklustre corporate learning. The futility of education and training has switched us off at one point or another.
We want to change this. It starts with you and I discussing what needs to change at London Gatwick, and how change can fit within your time and budget limitations.