Five Key Lessons For Building A Resilient Cyber Security Department

Businesses have come to rely on connectivity, cloud storage and digital infrastructure more in recent years and as a result tend to retain higher volumes of private data. For cybercriminals, that data is like currency. The more they can steal, the greater the leverage they have to extort their target.

High-profile incidents, such as the recent breach at Marks & Spencer and attempted attack at Co-op, have disrupted operations, plummeted share value and eroded customer trust. In 2024, 43% of UK businesses experienced a cyber incident and with the volume of breaches surging, conversations around cyber investment are being tabled in the boardroom. 

Cyberattacks have cost British businesses approximately £44 billion in lost revenue over the last five years. To minimise the threat level, regulations and standards such as NIS and ISO/IEC 27001 have been introduced. However, the rapid growth of compliance obligations and tools and technologies designed to help employees cope with the information ‘tsunami’ has struggled to keep up.

Today, even the most diligent workforce can experience “security fatigue,” where the sheer volume of policies, rules, regulations and reminders becomes too much to bear. This isn’t just a policy problem, a technology problem, or a compliance problem – it’s also a cultural problem.   

So, what proactive steps can organisations take to mitigate this growing threat? 

1.    Understanding the threat level: From impersonating banks to tricking colleagues into clicking malicious links to hand over their personal details, cyber criminals have naturally evolved their methods of attack. Stay informed about data breaches and ensure to uphold a good level of cyber hygiene. Beyond implementing policies, cyber teams should help to embed a security-first mindset across the entire employee lifecycle—from onboarding to ongoing development and exit processes. This includes providing clear, role-specific guidance and practical training to help employees recognise and respond correctly to common cyber threats. 
 
2.    Prevention is better than cure: Many organisations respond to threats with a blanket approach, layering on generic rules and one-size-fits-all training. This often results in an overload of information that feels disconnected from employees’ day-to-day responsibilities, reducing engagement and increasing risk. To combat security fatigue effectively, organisations must find a balance between essential security protocols and manageable compliance practices. Cybersecurity training courses are designed to tackle this head-on. Teaching and implementing a risk-based approach to compliance, organisations can prioritise relevant, high-impact measures and deliver training that is targeted, practical, and aligned to specific job roles. This ensures that employees understand not just the “what” but the “why” behind security protocols. 
 
3.    Motivation meets practicality: Engaging employees in cybersecurity requires more than just instructing them to follow protocols; it requires a focus on motivation and relevance. Too often, organisations rely on generic, box-ticking training that emphasises rules over context. People are more likely to adopt secure behaviours if they understand how these practices connect to their own roles and responsibilities. Tailoring content to specific job functions and real-world scenarios, will help employees see the direct impact of secure behaviour in their everyday work. This relevance drives engagement and significantly improves retention and compliance.  
 
4.    Embed within company culture: Cybersecurity shouldn’t be an afterthought. It’s now shown that it is critical to the infrastructure for all organisations. Companies that prioritise ongoing education and skill development are better positioned to adapt to market changes and seize new opportunities. This commitment to continuous learning should extend to all employees, regardless of their current skill level or position within the company. When organisations actively support learning, they not only enhance the capabilities of their workforce but also inspire a mindset of curiosity and innovation.   
 
5.    Conducting regular cybersecurity training: For staff is crucial for building a robust cybersecurity culture. However, fatigue often stems from well-meaning but excessive training and policy requirements, which can lead to disengagement or even non-compliance. Employees cannot be expected to instantly become cybersecurity experts after an hour-long training session, but they can be made aware of the risks and be asked to follow guidelines and policies that lessen the chances of a breach taking place. 


As threats grow in frequency and sophistication, organisations must shift from reactive defences to proactive, people-focused strategies. At the heart of this is effective cybersecurity training that is continuous, role-specific, and embedded into company culture.

By investing in meaningful education, businesses can learn from previous mistakes, combat security fatigue, and build long-term resilience against cyber threats. 

Kevin Vashi is an Adult Skills expert at Netcom Training

Image: Ideogram

You Might Also Read: 

Cyber Security Awareness Training For Management & Employees:


If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Entering the Cybersecurity Workforce: Where to Begin?
Present Danger: Cyber Attacks On Power Grids »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Link11 GmbH

Link11 GmbH

Link11 provides DDoS protection solutions to protect websites and complete server infrastructures from DDoS attacks.

DigiCert

DigiCert

DigiCert is the only provider of enterprise-grade SSL, IoT and PKI solutions. Our certificates are trusted everywhere, millions of times every day, by companies across the globe.

CDNetworks

CDNetworks

CDNetworks is a global content delivery network with a fully integrated cloud security solution, offering unparalleled speed, security and reliability for the almost instant delivery of web content.

ShadowDragon

ShadowDragon

ShadowDragon develops digital tools that simplify the complexities of modern investigations that involve multiple online environments and technologies.

SafeLogic

SafeLogic

SafeLogic provides strong encryption products for solutions in mobile, server, Cloud, appliance, wearable, and IoT environments that are pursuing compliance to strict regulatory requirements.

Seekurity

Seekurity

Seekurity is an information security consulting firm specialized in all areas of Cyber Security including Penetration Testing, Vulnerability Assessments and Risk Management.

Innovasec

Innovasec

Innovasec provide information security consulting and training services.

Casque SNR

Casque SNR

CASQUE SNR is the next generation of Identity Assurance that has potential to supersede existing solutions. It provides Identity Assurance for both people and things.

ditno

ditno

ditno uses machine learning to help you build a fully governed and micro-segmented network. Dramatically mitigate risk and prevent lateral movement across your organisation – all from one centralised

Red Sky Alliance

Red Sky Alliance

Red Sky Alliance (Wapack Labs Corp) is a cyber threat intelligence firm that delivers proprietary intelligence data, analysis and in-depth strategic reporting.

Deft

Deft

Deft (formerly ServerCentral Turing Group) is a trusted provider of colocation, cloud, and disaster recovery services.

DataSixth Security Consulting

DataSixth Security Consulting

DataSixth delivers Cybersecurity Intelligence. With our unique capabilities, we’re able to deliver value, deliver answers, and deliver actionable security intelligence.

NCC-CSIRT (Nigerian Communications Commission)

NCC-CSIRT (Nigerian Communications Commission)

NCC has established a CSIRT for the telecommunication industry to provide services and support for the prevention and management of potential cyber security related emergencies.

Darkscope

Darkscope

Darkscope is an award-winning personalised cyber intelligence service provider. Our cutting-edge AI and Deep Artificial Neural Networks lead the world of cyber intelligence solutions.

Securance Consulting

Securance Consulting

Since 2002, Securance has empowered enterprises to assume proactive security, compliance, and risk management strategies.

Virtual Infosec Africa (VIA)

Virtual Infosec Africa (VIA)

Virtual InfoSec Africa (VIA) is a wholly-owned Ghanaian company specializing in information security and cybersecurity solutions and services.