Introduction
When we talk about cyberattacks, most people imagine someone in a hoody in a dark room trying to guess passwords, hacking into systems and breaking through layers of technology using black and green binary code… Maybe something like this:
In reality, most attacks take hold in a much more ordinary situation by preying on one thing: your people. Not because your staff are careless, but because of the way people work. We rush, we trust, we help each other out, we sometimes pick up bad habits. And attackers understand all those patterns really well.
In this article, we’ll look at how these everyday behaviours quietly increase risk, and how focusing on people (not just technology) can make your organisation far safer.
Why the Cybersecurity Landscape Feels So Intense Right Now
We’ve had a turbulent few years in the world of cybersecurity. Last year we saw some major cyberattacks that littered the headlines for weeks and weeks.
- M&S had to stop all online orders for months, losing around £300 million.
- Co‑op pulled themselves offline to limit damage, leaving shelves empty for weeks.
- Jaguar Land Rover suffered a supply chain attack right as they launched the 75‑plate, leading to huge financial disruption.
These examples are from different industries, different systems, and different attack routes, but they all had one thing in common. The attackers exploited people.
Most Attack Types Rely on Human Nature
Although some cyberattacks are incredibly sophisticated, many of the most successful ones are deceptively simple and lean heavily on how people behave.
Phishing emails
Emails that look legitimate, tap into urgency, or mimic colleagues. They rely on someone being distracted, tired, or just trying to get through their inbox.
Social engineering
Attackers tailor their approach. They research names, roles, communication styles, and use that to build trust.
Malware
A single click on a link or attachment can give an attacker everything they need, and a lot of people don’t realise how fast that can happen.
Supply chain attacks
This is what we saw with the Jaguar Land Rover attack. Criminals compromise a supplier, then move upwards. They take advantage of the trust businesses naturally place in long‑standing partners.
Ransomware
Still one of the biggest threats. It locks systems and demands money, relying heavily on panic to push people into acting quickly.
Most attacks combine several of these. But the starting point is almost always the same: a normal person doing something normal.
Which brings us to the core issue: people can be your weakest link, or your strongest defence.
Culture Red Flags That Make Cyberattacks More Likely
Businesses often place so much emphasis on the cyber security technology they have. The technology you have matters – we’re a managed IT service provider, so we know that the technology matters. But the culture that your people work in is so often overlooked, and it’s an equally important piece of the puzzle.
Several patterns repeatedly appear inside businesses that are ‘culture red flags’ that unknowingly make staff more vulnerable.
Workload and constant urgency
If your team is always rushing, always stretched, or always in “urgent mode”, they’re less likely to read emails carefully. Phishing signs become easy to miss. Social engineering becomes more believable. Tired people click things they wouldn’t normally click.
Insufficient or mismatched training
Not everyone begins with the same knowledge. Some employees genuinely don’t understand what malware looks like or why clicking “just to check” is risky. If training assumes knowledge that isn’t there, people will make decisions based on guesswork. Training also becomes meaningless when it’s treated as a tick‑box task rather than something that meets people where they are.
Unclear processes
Often, employees aren’t sure what to do when something feels wrong. Who should they tell? How should they report it? What happens if they’ve already clicked something? When processes are vague, people panic and hesitate. They try to secretly fix things themselves which takes time. And time is exactly what attackers want.
Poor reporting culture
If staff feel ignored, dismissed or blamed when they report concerns, they eventually stop reporting. When people stop reporting, attackers gain more time inside systems. They can remain undetected for weeks or months. This is exactly what we saw in the M&S attack.
Unexpected norms and leadership exceptions
If leaders skip processes, or regularly expect employees to skip processes to ‘get things over the line’, those exceptional behaviours become normal. When this happens people stop recognising what ‘unexpected’ looks like because they see it every day.
The small business mindset
Believing “We’re too small to be attacked” is itself a vulnerability. It spreads through organisations quickly and reduces vigilance. Attackers count on this mindset.
Being behind with technology
Outdated systems and slow processes push staff to find faster, insecure workarounds. For example, using personal devices, shadow IT (use of ‘unofficial’ tools or methods) or feeding information into AI tools without understanding where that data goes. These behaviours don’t come from negligence; they come from trying to get work done.
Being overly strict
On the opposite end, environments that are too locked down force people into insecure workarounds. If your systems make it difficult for staff to do their jobs, they’ll find ways around the rules. Those workarounds are almost always less secure than the original process.
Why This Matters Even More Now
Attackers increasingly rely on small human openings rather than technical flaws. They know staff are busy, they know processes aren’t always clear, and they know small inconsistencies add up.
But there’s now also a new factor: AI.
Even in organisations that haven’t formally introduced AI tools, staff are using them, often without realising the risks. They paste in information to save time, not considering where that information goes or who can access it. As with all of the above, this isn’t deliberate misuse. It’s a sign that business culture hasn’t caught up with the pace of technology.
How to Build a Culture That Strengthens Cybersecurity
The strongest cybersecurity cultures that we see aren’t built on fear or rigid control. They’re built on clarity, consistency and communication.
A healthy culture is one where:
- People know what ‘suspicious’ looks like
- Reporting feels safe, not risky
- Processes are simple enough to follow under pressure
- Leaders model the same behaviours they expect from staff
- Training matches the real knowledge levels in the room
- Technology supports how people work rather than fighting against it
- Conversations about incidents become normal, not reactive
These small cultural shifts make a significant difference to a business’s cybersecurity strategy.
Two Challenges To Understand Your Own Culture
If you’re keen to understand about your own company culture and its impact on your cyber security, try these simple exercises as a starting point.
Challenge 1: Ask employees how they’d report a cyber incident
Give people a cyber incident scenario and ask what they’d do first. Make sure to ask across different departments and levels. The variety of answers you get will reveal a lot about your processes and communication. If you get consistent and correct answers, you’re likely doing a great job. If you’re getting a variety of answers and a lot of uncertainty, then there’s probably some work to do!
Challenge 2: Find out how AI is being used unofficially
Even if AI isn’t formally rolled out, your staff will be using it somewhere. Ask them what tools they’ve used and what kind of information they’ve entered. This isn’t about catching anyone out or blaming them, it’s about understanding the reality so you can manage it safely.
Final Thoughts
Cybersecurity sits at the intersection of people, behaviour and technology, and people have always been the unpredictable part. When culture is clear, calm and supportive, employees become one of your strongest defences.