Businesses have come to rely on connectivity, cloud storage and digital infrastructure more in recent years and as a result tend to retain higher volumes of private data. For cybercriminals, that data is like currency. The more they can steal, the greater the leverage they have to extort their target. High-profile incidents, such as the recent breach at Marks & Spencer and attempted attack at Coop, have disrupted operations, plummeted share value and eroded customer trust. In 2024, 43% of UK businesses experienced a cyber incident and with the volume of breaches surging, conversations around cyber investment are being tabled in the boardroom.
Cyberattacks have cost British businesses approximately £44 billion in lost revenue over the last five years. To minimise the threat level, regulations and standards such as NIS and ISO/IEC 27001 have been introduced. However, the rapid growth of compliance obligations and tools and technologies designed to help employees cope with the information ‘tsunami’ has struggled to keep up. Today, even the most diligent workforce can experience “security fatigue,” where the sheer volume of policies, rules, regulations and reminders becomes too much to bear. This isn’t just a policy problem, a technology problem, or a compliance problem – it’s also a cultural problem.
So, what proactive steps can organisations take to mitigate this growing threat?
Understanding the threat level – From impersonating banks to tricking colleagues into clicking malicious links to hand over their personal details, cyber criminals have naturally evolved their methods of attack. Stay informed about data breaches and ensure to uphold a good level of cyber hygiene. Beyond implementing policies, cyber teams should help to embed a security-first mindset across the entire employee lifecycle—from onboarding to ongoing development and exit processes. This includes providing clear, role-specific guidance and practical training to help employees recognise and respond correctly to common cyber threats.
Prevention is better than cure - Many organisations respond to threats with a blanket approach, layering on generic rules and one-size-fits-all training. This often results in an overload of information that feels disconnected from employees’ day-to-day responsibilities, reducing engagement and increasing risk. To combat security fatigue effectively, organisations must find a balance between essential security protocols and manageable compliance practices. Cybersecurity training courses are designed to tackle this head-on. Teaching and implementing a risk-based approach to compliance, organisations can prioritise relevant, high-impact measures and deliver training that is targeted, practical, and aligned to specific job roles. This ensures that employees understand not just the “what” but the “why” behind security protocols.
Motivation meets practicality - Engaging employees in cybersecurity requires more than just instructing them to follow protocols; it requires a focus on motivation and relevance. Too often, organisations rely on generic, box-ticking training that emphasises rules over context. People are more likely to adopt secure behaviours if they understand how these practices connect to their own roles and responsibilities. Tailoring content to specific job functions and real-world scenarios, will help employees see the direct impact of secure behaviour in their everyday work. This relevance drives engagement and significantly improves retention and compliance.
Embed within company culture – Cybersecurity shouldn’t be an afterthought. It’s now shown that it is critical to the infrastructure for all organisations. Companies that prioritise ongoing education and skill development are better positioned to adapt to market changes and seize new opportunities. This commitment to continuous learning should extend to all employees, regardless of their current skill level or position within the company. When organisations actively support learning, they not only enhance the capabilities of their workforce but also inspire a mindset of curiosity and innovation.
Conducting regular cybersecurity training - For staff is crucial for building a robust cybersecurity culture. However, fatigue often stems from well-meaning but excessive training and policy requirements, which can lead to disengagement or even non-compliance. Employees cannot be expected to instantly become cybersecurity experts after an hour-long training session, but they can be made aware of the risks and be asked to follow guidelines and policies that lessen the chances of a breach taking place.
As threats grow in frequency and sophistication, organisations must shift from reactive defences to proactive, people-focused strategies. At the heart of this is effective cybersecurity training that is continuous, role-specific, and embedded into company culture. By investing in meaningful education, businesses can learn from previous mistakes, combat security fatigue, and build long-term resilience against cyber threats.