Five Key Lessons For Building A Resilient Cyber Security Department

Businesses have come to rely on connectivity, cloud storage and digital infrastructure more in recent years and as a result tend to retain higher volumes of private data. For cybercriminals, that data is like currency. The more they can steal, the greater the leverage they have to extort their target.

High-profile incidents, such as the recent breach at Marks & Spencer and attempted attack at Co-op, have disrupted operations, plummeted share value and eroded customer trust. In 2024, 43% of UK businesses experienced a cyber incident and with the volume of breaches surging, conversations around cyber investment are being tabled in the boardroom. 

Cyberattacks have cost British businesses approximately £44 billion in lost revenue over the last five years. To minimise the threat level, regulations and standards such as NIS and ISO/IEC 27001 have been introduced. However, the rapid growth of compliance obligations and tools and technologies designed to help employees cope with the information ‘tsunami’ has struggled to keep up.

Today, even the most diligent workforce can experience “security fatigue,” where the sheer volume of policies, rules, regulations and reminders becomes too much to bear. This isn’t just a policy problem, a technology problem, or a compliance problem – it’s also a cultural problem.   

So, what proactive steps can organisations take to mitigate this growing threat? 

1.    Understanding the threat level: From impersonating banks to tricking colleagues into clicking malicious links to hand over their personal details, cyber criminals have naturally evolved their methods of attack. Stay informed about data breaches and ensure to uphold a good level of cyber hygiene. Beyond implementing policies, cyber teams should help to embed a security-first mindset across the entire employee lifecycle—from onboarding to ongoing development and exit processes. This includes providing clear, role-specific guidance and practical training to help employees recognise and respond correctly to common cyber threats. 
 
2.    Prevention is better than cure: Many organisations respond to threats with a blanket approach, layering on generic rules and one-size-fits-all training. This often results in an overload of information that feels disconnected from employees’ day-to-day responsibilities, reducing engagement and increasing risk. To combat security fatigue effectively, organisations must find a balance between essential security protocols and manageable compliance practices. Cybersecurity training courses are designed to tackle this head-on. Teaching and implementing a risk-based approach to compliance, organisations can prioritise relevant, high-impact measures and deliver training that is targeted, practical, and aligned to specific job roles. This ensures that employees understand not just the “what” but the “why” behind security protocols. 
 
3.    Motivation meets practicality: Engaging employees in cybersecurity requires more than just instructing them to follow protocols; it requires a focus on motivation and relevance. Too often, organisations rely on generic, box-ticking training that emphasises rules over context. People are more likely to adopt secure behaviours if they understand how these practices connect to their own roles and responsibilities. Tailoring content to specific job functions and real-world scenarios, will help employees see the direct impact of secure behaviour in their everyday work. This relevance drives engagement and significantly improves retention and compliance.  
 
4.    Embed within company culture: Cybersecurity shouldn’t be an afterthought. It’s now shown that it is critical to the infrastructure for all organisations. Companies that prioritise ongoing education and skill development are better positioned to adapt to market changes and seize new opportunities. This commitment to continuous learning should extend to all employees, regardless of their current skill level or position within the company. When organisations actively support learning, they not only enhance the capabilities of their workforce but also inspire a mindset of curiosity and innovation.   
 
5.    Conducting regular cybersecurity training: For staff is crucial for building a robust cybersecurity culture. However, fatigue often stems from well-meaning but excessive training and policy requirements, which can lead to disengagement or even non-compliance. Employees cannot be expected to instantly become cybersecurity experts after an hour-long training session, but they can be made aware of the risks and be asked to follow guidelines and policies that lessen the chances of a breach taking place. 


As threats grow in frequency and sophistication, organisations must shift from reactive defences to proactive, people-focused strategies. At the heart of this is effective cybersecurity training that is continuous, role-specific, and embedded into company culture.

By investing in meaningful education, businesses can learn from previous mistakes, combat security fatigue, and build long-term resilience against cyber threats. 

Kevin Vashi is an Adult Skills expert at Netcom Training

Image: Ideogram

You Might Also Read: 

Cyber Security Awareness Training For Management & Employees:


If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Entering the Cybersecurity Workforce: Where to Begin?
Present Danger: Cyber Attacks On Power Grids »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

National Cyber Security Centre (NCSC) - Netherlands

National Cyber Security Centre (NCSC) - Netherlands

NCSC Netherlands coordinates enhancing the cyber resilience of the Netherlands in the digital domain.

Spanish National Cybersecurity Institute (INCIBE)

Spanish National Cybersecurity Institute (INCIBE)

INCIBE undertakes research, service delivery and coordination for building cybersecurity at the national and international levels.

Cyberbit

Cyberbit

Cyberbit empowers cybersecurity teams to be fully prepared with a product portfolio ready to detect and respond effectively across both IT and OT networks.

VivoSecurity

VivoSecurity

VivoSecurity is a pioneer in cyber risk quantification based on data science. Our products and services help organizations achieve optimal information security and GRC programs.

Micro Strategies Inc.

Micro Strategies Inc.

Micro Strategies provides IT solutions that help businesses tackle digital transformation in style.

SEEK

SEEK

SEEK create world-class technology solutions to address the needs of job seekers and hirers across multiple sectors including cybersecurity.

Paladin Capital Group

Paladin Capital Group

Paladin is a leading global investor that supports and grows the world’s most innovative cyber companies.

Brighterion

Brighterion

Brighterion solutions stop payment and acquirer fraud, reduce credit risk and delinquency, fight financial crime, prevent healthcare fraud, waste and abuse, and more.

WebOrion

WebOrion

WebOrion is an All-in-One Web Security & Performance Suite. Fortify, accelerate and monitor your website today.

Concourse Labs

Concourse Labs

Concourse Labs Security Guardrails continuously verify cloud infrastructure and workloads. Continuously assess clouds for security, resiliency, and regulatory compliance.

Archon Secure

Archon Secure

Archon GoSilent Cube delivers a CSfC-certified, plug-and-play security solution for classified and unclassified communication when using the public Internet.

Nukke

Nukke

Nukke offers advanced cybersecurity software and tailored solutions for your business.

42Crunch

42Crunch

42Crunch provides API security testing and threat protection. We proactively test, fix and protect your APIs from development to runtime.

Genix Cyber

Genix Cyber

Genix Cyber provides world-class cybersecurity services that protect systems, cloud applications, infrastructure, critical data, and networks from evolving cyber threats.

Trium Cyber

Trium Cyber

Trium Cyber - Expert Cyber Underwriting and Claims Management. Based in the US and UK. Backed by Lloyd’s of London.

Unosecur

Unosecur

Unosecur is a comprehensive identity security platform that addresses identity-related threats in multi-cloud and on-premise environments.