For years, employees have been described as the weakest link in cybersecurity. It is a phrase that has been used across the industry to explain why cyber incidents happen. At Optimise Cyber Solutions, we see it differently. People are not the weakest link. Untrained people are.
In most of the organisations we work with, staff are not deliberately careless. They are busy, under pressure, trying to do their jobs, and often expected to recognise increasingly sophisticated cyber threats without ever being properly shown what those threats look like. They are using email, cloud systems, shared files, mobile devices, Microsoft 365, remote access tools and online platforms every day, but many have only received basic, tick box training, if they have received any training at all.
That is where the real risk sits. Cybersecurity awareness training is often treated as something that must be completed once a year to satisfy a requirement. Staff watch a short video, answer a few questions, and the organisation records that the training has been done. The problem is that cybercriminals do not operate in tick boxes. They operate in the real world. They use pressure, emotion, timing, trust and confusion. They target people when they are busy, distracted or simply trying to be helpful.
This is why cybersecurity awareness training needs to change. It needs to move away from generic information and become practical, relevant and rooted in how people actually work. At Optimise Cyber Solutions, this is the gap we see time and time again across UK SMEs. Businesses have invested in technology, but they have not always invested enough in their people. They may have firewalls, antivirus software, email filtering and multi factor authentication, but staff still do not always know how to recognise a phishing email, challenge a suspicious payment request, report a potential incident, or understand the consequences of mishandling sensitive data.
Technology matters, but people still make decisions every day that affect the security of the business.
What we see across industry
The businesses we speak to are often not ignoring cybersecurity. In fact, many are trying to do the right thing. They have policies in place. They have IT support. They have cyber insurance. Some are working towards Cyber Essentials, ISO 27001 or contractual compliance requirements. Others are being asked by clients, suppliers or public sector buyers to show how they manage cyber risk.
However, when we look closer, we often see the same issues appearing. Staff may not know what to do if they click on a suspicious link. Managers may not know who should make decisions during a cyber incident. Finance teams may not have a clear process for verifying urgent payment requests. Remote workers may be using personal devices, weak passwords or insecure home networks. Employees may be handling personal data without fully understanding the risks. Senior leaders may assume cybersecurity sits with IT, when in reality a serious incident quickly becomes a leadership, operational, legal and reputational issue.
These are not unusual problems. They are normal business risks that appear when cybersecurity has not been embedded properly into day to day operations. One of the biggest issues we see is that many businesses do not realise how quickly a small mistake can escalate. A phishing email can lead to a compromised account. A compromised account can lead to data exposure, invoice fraud, ransomware or further attacks against customers and suppliers. A delayed report from a member of staff can give an attacker more time inside the organisation.
In many incidents, the difference between a manageable event and a major breach is not just the technology in place. It is whether somebody recognises the warning signs early and knows what to do next.
Why SMEs are particularly exposed
Small and medium sized businesses are often targeted because attackers know they can be under resourced. Many SMEs do not have a dedicated cybersecurity team. Some rely on outsourced IT support, which can be very effective, but IT providers cannot see every decision being made by every employee throughout the day.
Attackers understand this. They know that SMEs are often busy, lean and relationship driven. They know that staff may trust familiar names, suppliers, customers or senior colleagues. They know that finance teams may receive urgent requests. They know that business owners may use email on the move. They know that remote workers may not always have the same level of protection as they would in the office.
This is why so many attacks focus on people. Phishing emails are no longer always badly written messages full of spelling mistakes. Many are now convincing, targeted and carefully timed. Social engineering attacks may involve phone calls, text messages, WhatsApp messages or fake Microsoft login pages. Business email compromise can look like a normal conversation with a known contact. Invoice fraud can appear to come from a trusted supplier. Ransomware attacks often begin with a single compromised account or device.
The threat has changed, but in many businesses, the training has not kept pace.
The problem with generic training
Generic cybersecurity training often tells people what they should not do. Do not click suspicious links. Do not share passwords. Do not open unexpected attachments. Do not ignore updates. That advice is not wrong, but it is not enough.
The problem is that real attacks are designed not to look suspicious. They are designed to look normal. They use familiar branding, expected business processes and believable requests. They often arrive when someone is busy or under pressure. They may appear to come from a colleague, a supplier, a customer, a bank, HMRC, Microsoft, a delivery company or a senior leader.
Employees need more than a list of rules. They need to understand how attackers think. That is why our training focuses heavily on real world examples, attacker behaviour and practical decision making. We want staff to understand not only what a phishing email looks like, but why it works. We want them to recognise how urgency, authority, fear and curiosity are used to manipulate people. We want them to feel confident slowing down, checking requests and reporting concerns.
The aim is not to make every employee a cybersecurity expert. The aim is to give them enough knowledge and confidence to protect themselves and the organisation.
Compliance is important, but resilience is the real goal
Many organisations come to cybersecurity awareness training because they have a compliance requirement. They may need to support Cyber Essentials, ISO 27001, data protection responsibilities, insurance requirements, supply chain assurance or tender submissions.
That is understandable. Compliance matters. It gives businesses structure, evidence and accountability. It also helps demonstrate to clients and partners that cybersecurity is being taken seriously.
However, compliance should be the starting point, not the end goal. A business can have policies that staff have never read. It can have an incident response plan that nobody has tested. It can have training records that show completion, without any confidence that behaviour has actually changed.
The real question is not simply, “Have our staff completed training?” The better question is, “Would our staff know what to do if something happened today?” Would they report a suspicious email? Would they challenge an unusual payment request? Would they know who to contact if they accidentally sent data to the wrong person? Would managers know how to escalate a cyber incident? Would leaders know how to make decisions under pressure?
That is where practical training, incident exercising and ongoing awareness become so important.
What good awareness training should achieve
Good cybersecurity awareness training should make people more confident, not more frightened. At Optimise Cyber Solutions, we believe training should be engaging, practical and linked to the real risks faced by the organisation. It should speak to employees in plain language and show them situations they recognise from their own working day.
For employees, this might include phishing, password security, social engineering, data protection, secure remote working, device safety, safe browsing and incident reporting. For managers and leaders, it should go further. They need to understand business impact, decision making, incident response, communication, legal and regulatory considerations, reputational risk and recovery planning.
For organisations, the training should also create evidence. This includes completion records, knowledge checks, certificates, audit trails and clear alignment to recognised standards where appropriate. This evidence is increasingly important when businesses are applying for contracts, demonstrating compliance or reassuring customers.
But the most important outcome is behavioural change. Staff should leave the training knowing what to look for, what to question and what to report. They should understand that reporting quickly is a strength, not an admission of failure. They should feel supported, not blamed.
That cultural shift is one of the most valuable things a business can achieve.
The role of leadership
One of the biggest lessons from real cyber incidents is that leadership matters. Cybersecurity cannot be left entirely to IT. A serious incident can affect operations, finance, customer service, HR, legal obligations, communications and reputation. Decisions may need to be made quickly. Customers may need to be informed. Systems may need to be taken offline. Staff may need clear instructions. Suppliers, insurers or regulators may need to be contacted.
If senior leaders have not thought about these issues before an incident, they will be forced to make decisions under pressure. That is why we encourage businesses to combine awareness training with cyber incident response exercising. A good exercise allows leaders and managers to walk through a realistic scenario in a safe environment. It exposes gaps in processes, communication, decision making and responsibility before a real attacker does.
For SMEs, this can be especially valuable. Many smaller businesses have informal ways of working that are effective day to day, but may not hold up during a fast moving incident. An exercise helps turn assumptions into clear actions.
Employees can become the strongest defence
The phrase “weakest link” has done a lot of damage because it encourages blame. It suggests that people are the problem. Our experience shows the opposite. When staff are properly trained, they become one of the strongest parts of an organisation’s defence.
They spot suspicious emails. They challenge unusual requests. They report mistakes quickly. They protect customer data. They follow secure processes. They help create a culture where cybersecurity becomes part of everyday business behaviour.
That does not happen by accident. It happens when businesses invest in awareness, leadership, policies, testing and continuous improvement. For SMEs, the message is simple. Cybersecurity does not need to be overwhelming, but it does need to be taken seriously. Start with the people. Help them understand the threats. Give them clear processes. Support them when they report concerns. Test your response. Build confidence across the organisation.
The businesses that will be best protected are not simply the ones with the most technology. They are the ones that bring together people, process and technology in a practical way.
At Optimise Cyber Solutions, that is the work we do every day. We help organisations move beyond tick box training and build real cyber confidence. We help staff understand the risks they face, leaders understand the decisions they may need to make, and businesses demonstrate that they are taking cybersecurity seriously.
It is time to stop calling employees the weakest link. With the right training, support and culture, they can become the strongest defence a business has.
Join our LinkedIn group Information Security Community!
