A resilient security culture is built in the flow of work, not the classroom
Every year, organisations invest more in cyber security as they improve the solutions they use to detect and manage threats. Yet breaches are continuing to rise at pace, with the National Cyber Security Centre (NCSC) handling a record 204 significant cyber attacks from September 2024 to September 2025 – up from 89 in the previous 12 months – and saw a 50% increase in highly significant cyber incidents.
The uncomfortable truth is that many organisations have mistaken activity for progress. Business leaders have strengthened their technical controls but haven't changed how people behave in critical moments, and that's where most incidents begin.
Has progress been an illusion?
Security dashboards can be reassuring when they show millions of attacks have been blocked and the average time to detect threats is decreasing. But often, when looking closely at incidents that have forced businesses to a halt, it's clear that controls were in place, alerts were triggered, and employees had completed their annual training – yet the breach still happened.
Cyber attacks tend to start with something seemingly unimportant, whether that's an overlooked patch, a convincing phishing email, a reused password, or a moment of distraction at the wrong time. The triggers are simple and familiar, and that signifies human risk isn't being managed with the same rigour as technical.
Many organisations still rely on routine training as the cornerstone of their security strategy. While awareness matters, education in isolation doesn't create a robust security culture. Scheduled training doesn't influence split-second decisions when inboxes are overflowing, deadlines are looming, or attackers have perfectly copied an internal communication style.
Humans don't behave like technical controls. We're varied, responsive, and constantly balancing competing priorities, often making fast decisions to keep work moving under pressure. None of this is intentionally malicious, it's human, but that doesn't stop it from being harmful.
What's the real risk surface?
Security culture improves when organisations reinforce secure behaviours in ways that fit naturally into day-to-day work. While most organisations have excellent visibility of risk across their networks and applications, fewer organisations can confidently answer questions like, "which teams are most likely to fall for targeted phishing during peak workload periods?", "where are password hygiene issues still happening?", or "which business units feel too busy to make critical updates?"
The space between policy and practice is where risk is quietly increasing, and attackers know this. They model attacks around human behaviour and have shifted from bad actors forcing their way in, to staying patient and waiting to be let in as a result of human error.
How can businesses manage human risk?
Security breaches involve people, which means managing behaviour should be continuous, not limited to isolated training sessions. Whether that's introducing interventions at potential moments of exposure, like a contextual nudge when a suspicious link is clicked, a "just-in-time" reminder during a password reset, or tailored guidance when sensitive data is shared externally. Over time, these small moments help shift behaviour and build a security culture that lasts.
CISOs also need more than training completion rates to understand their workforce's readiness to respond to cyber threats. This is where a behaviour risk score that provides a clear, data-driven view of where exposure is increasing, which teams require reinforcement, and whether interventions are working, can help businesses measure and improve security health across the organisation.
Some argue that culture change is too slow, costly or complex, but failing to address behavioural risk is what really leaves CISOs exposed. Strong security programmes recognise humans are the most targeted asset for bad actors, but flipped on its head, people also have the potential to stop incidents if encouraged to ask questions, report incidents without fear, and feel supported rather than scrutinised.
Behavioural intelligence is an evolution of the way any business operates. It's about seeing how people behave, spotting where risk sits, and intervening before it becomes a problem.