Sign up for our Newsletter
Keep up to date with the latest IT news, tips and guides from Dragon IS and sign up here:
How to create a cyber-secure culture
It feels like every day we hear about another business being hit by a successful cyberattack.
For some, these attacks are a costly headache they could do without, such as the recent spate of attacks on high street retailers, including M&S and Co-op. (You can find out more about that in our blog ‘What lessons can be learnt from the retail cyber attacks?)
While for others, such attacks can prove fatal – the closure of a 160-year-old Kettering haulage firm being a stark reminder that cyber criminals are not fussy when it comes to the age, size or type of company they will target.
Indeed, according to the UK Cyber Security Breaches Survey 2025 published by the government, around 43% of UK businesses and 30% of charities experienced a cyber security breach or attack in the past 12 months.
The use of technology, such as firewalls, encryption and multi-factor authentication, are all helpful tools in helping provide different layers of protection. But something else that is vital is recognising the human element – an important yet often overlooked factor.
At Dragon, we understand that cyber security is about more than just technology. It’s about people, processes, and culture. Here, we explore how organisations can lead from the front and build a strong cyber security culture, and why it’s essential for long-term resilience.
Putting people at the heart of cyber security
Recognising that cybersecurity is a cultural challenge, the National Cyber Security Centre (NCSC) has introduced new Cyber Security Culture Principles, designed to help organisations embed security within their everyday operations.
These principles highlight the importance of leadership, collaboration, and behavioural change in fostering a cyber-secure workplace.
Why does it matter? Because very employee plays a role in cyber security, whether it’s reporting phishing emails, using strong passwords, or keeping software updated. It’s a topic we’ve covered a number of times on this blog, including How to help employees spot social engineering and How to tackle employee password fatigue.
Research shows that an organisation’s culture directly impacts how effectively people engage with its security measures and procedures. Without the right mindset, even the best security tools can fail, and when employees feel disconnected from security policies or view them as obstacles, they are more likely to ignore best practices, increasing the risk of cyber threats.
A strong cyber security culture ensures that employees:
- Understand their role in protecting the organisation
- Feel empowered to report security concerns without fear
- Recognise cyber security as a business enabler, not a burden
3 key steps to achieving a strong cyber aware culture
Empower your cyber security professionals
Individuals tasked with leading on cyber security within the organisation must be seen as supportive enablers, not gatekeepers. Employees should trust them to help when things go wrong and know exactly what to do when they see something suspicious. Importantly, they must feel able and safe to speak up if they make a mistake.
Ask yourself:
Does the way your IT team operates encourage trust?
Do employees feel comfortable reporting security incidents?
Is cyber security framed as a business enabler, rather than a restriction?
Focus on education, engagement, and accessibility, ensuring that employees are informed about risks, clear on policy and procedure, and know where to turn for help.
Engage culture specialists
Cyber security isn’t just a technical issue, it’s a human one. Consider leveraging the skills of a culture expert to assess and help improve cybersecurity awareness and behaviours.
Internal culture specialists can help:
Identify hidden barriers preventing employees from following security protocols
Develop training programs that resonate with different teams
Create positive reinforcement strategies to encourage secure behaviours
By integrating psychology and behavioural science within your cyber security strategies, your organisation can better drive meaningful change in employee attitudes.
Leadership
Leaders must set the tone by prioritising security, rewarding good practices, and integrating cyber security into broader organisational goals.
Leadership should:
Communicate the importance of cyber security regularly
Lead by example, following security protocols themselves
Recognise and reward employees who demonstrate strong security awareness
When leaders actively support cyber security initiatives, employees are more likely to engage and take responsibility for their actions.
In summary
Reducing the threat of cyberattacks and implementing robust cyber security measures is not just about technology, it’s about people, and having a strong cyber-focused, organisational culture.
The NCSC’s Cyber Security Culture Principles highlight the importance of leadership, collaboration, and behavioural change in fostering this and a resilient security environment.
By working hard to build a proactive security culture, organisations can reduce the risk of successful attacks, enhance their resilience, and build trust – ensuring cyber security is not just a policy, but a mindset.
In need of expert support?
Here at Dragon IS, we work with small and medium sized businesses, supporting them with all their IT infrastructure and cybersecurity needs. For an informal chat about how we could help your business, please email info@dragon-is.com or call us on 0330 363 005.
You may also be interested in: