Cyber security isn't just about tools and systems. Engaged and confident people play a major role in protecting our organisation and making it safer and harder to compromise. This series invites you to boost your essential cyber security knowledge and reinforce best practices in our workforce. Together, we can continue building a positive security culture where everyone feels responsible for protecting our data.
The National Cyber Security Centre (NCSC) identifies 'Engagement and Training' as a core component of a resilient organisation. Our people are our strongest asset, provided they have the right knowledge and are engaged with security best practices.
The NCSC advises that staff training and engagement should be continuous and cover acceptable, secure use of an organisation's systems. This isn't just about avoiding mistakes; it's about actively contributing to our collective defence.
This month, we're focusing on simple habits that help everyone stay alert, make safer choices, and strengthen our 'human firewall.'
Effective engagement and training transform employees from potential vulnerabilities into active participants in an organisation's security posture. While technical solutions are crucial, staff are often the first and most effective line of defence against attacks.
However, human error remains a leading cause of breaches and incidents. Most cyber incidents start with a human action, whether it be by a rushed click, a reused password or replying to a message that 'looks legitimate.' Attackers rely on speed and distraction, but strong engagement and basic training reduce these risks.
Building awareness across the organisation helps us:
People remain a primary target for criminals. In the UK, with continued high levels of phishing attacks, these are becoming increasingly sophisticated, targeting individual weaknesses and a lack of awareness.
Attackers may often pose as colleagues, partners or senior leaders. They copy email signatures and writing styles, and may use urgency to get quick reactions.
Common signs include:
These attackers also use threats like social engineering and exploit remote and hybrid working, where less secure home networks can broaden the attack surface.
The attacks which affected major retailers like M&S and Harrods are textbook examples of impersonation attacks that leverage social engineering. In a coordinated campaign, attackers (Scattered Spider) bypassed technical security by exploiting the human element.
By impersonating employees, they were able to trick IT staff into resetting credentials of legitimate user accounts and gain unauthorised access to internal corporate systems. This breach was then used to deploy ransomware, leading to major disruptions like the suspension of online orders and the theft of customer data.The most common entry point for cyber threats is still the simple email, and phishing is the most well-known type of attack. It is a deceptive tactic where attackers try to trick you into revealing sensitive information like passwords. They often mimic trusted sources, like senior management, IT support, or well-known companies.
Types of Phishing
| Type | Description | Key Indicator |
| Standard phishing | A broad attack that is often sent to many people via bulk email | An email that includes a generic greeting ('Dear customer'), urgent tone and an unusual sender address. |
| Spear phishing | Targeted attack aimed at a specific individual or team. | An email that includes references to internal projects, specific colleagues or personal details. |
| Whaling | A highly targeted attack aimed at senior executives/ management | High-level requests that are often about confidential company information or urgent payments |
Before clicking any link or downloading an attachment, follow these three simple checks:
Your password is the primary lock on your digital door. Avoid using weak, easy-to-guess passwords. Longer, memorable passphrases, such as three random words together, are stronger and easier to remember than short, complex passwords. It isn't about complexity, it's length. A long passphrase is much easier for you to remember and far harder for attackers to crack.
Click the link to try the different passwords in the table below and see how long it would take a computer to crack!
https://www.security.org/how-secure-is-my-password/
| Instead Of... | Try... | Why It Works |
| Arsenal2025! | BlueSky-Over-London-25th! | It's easy to remember, and uses random words and symbols for maximum length. |
| MyPetName1 | I-Hate-Tuesdays-But-Love-Coffee | It uses a memorable sentence, making it long and unique. |
Never reuse or have the same password on company and personal accounts. A compromised password used across multiple platforms puts both accounts at risk.
MFA is the most effective way to prevent account takeover attempts. Even if an attacker steals your password, the extra authentication blocks unauthorised access. It works by requiring two or more verification methods to prove you are who you say you are, such as:
Ultimately, a single oversight, like a missed phishing email or a weak password, can compromise an entire organisation.
If you get an email or request that seems suspicious, do not:
Inform your designated IT security team or line manager immediately, providing as much detail as possible about what happened, and only delete it after the security team advises. Remember, remaining aware and reporting these emails is key to a swift and effective response.
Your constant vigilance and help in detecting and blocking threats before they can cause harm across the business continues to stand as the human firewall that protects us all.
Let us know your thoughts in the comment section below or visit the NCSC's 10 Steps to Cyber Security for more cyber security guidance.