One overlooked policy. One untrained employee. One phishing email. That's all it takes. Are you prepared?

In today's hyper-connected world, organisations face a constantly evolving landscape of cyber threats. From phishing to ransomware attacks, the vulnerabilities are endless. But often, the most significant cybersecurity risk is not an IT issue – it is the human element.

Whether through lack of knowledge or a moment of carelessness, individual employees can unintentionally open the door to criminals. This makes strong organisational measures and cybersecurity training not just a standard process, but a strategic essential.

In this article we discuss the importance of organisational measures and creating the right cyber security culture.

The power of organisational measures

Organisational measures are processes and practices that organisations should implement to manage risks in relation to security and compliance. In fact, organisational measures can be straightforward to implement but are often overlooked.

Organisations often rely on technical measures and while these are essential, they are not infallible. The world of technology is continually advancing and even the best security systems cannot always keep up. This is where organisational measures matter. Employee training, clear policies and procedures, and detailed risk assessments ensure that if technology fails, your people know how to respond.

So, what are the organisational measures that you should be thinking about?

Building a cybersecurity-first culture

An organisation's culture influences how cybersecurity is approached, for example, how decisions are made; how incidents are managed and people's attitudes towards it. Work to enhance an organisation's cybersecurity will be most successful if backed by a culture that promotes and supports such improvements. A culture of risk awareness and respect for personal and other data should be fostered throughout the entire employment and corporate life cycle (from hiring and onboarding through to termination). Cybersecurity should be treated as a discipline and not a tick box exercise.

With this in mind, the National Cyber Security Centre (NCSC) published new guidance in June 2025 - Cyber Security Culture Principles. The six principles centre on creating a cyber security environment where everyone in the workplace is invested in safeguarding the business. The aim of the principles is to ensure people are empowered to be vigilant and proactive; employees are engaged, understand and respect cybersecurity rules, which will be intuitive and flexible; and leaders are role models ready to motivate their teams with the right incentives.

The role of leadership in cybersecurity

It is critical that directors and boards take cybersecurity as seriously as they take other principal risks and that they are seen to do so such that employees know and appreciate the importance their senior leaders place on managing the risks. In April 2025 the NCSC published its Cyber Governance Code of Practice (the Code) which was developed in collaboration with the NCSC and industry.

The Code formalises expectations relating to the governance of cybersecurity by organisations, including the actions that directors and non-executive directors need to take to meet their responsibilities. The Code was a response to suggestions that organisations need to know what 'good looks like', bringing together critical governance areas for which directors need to take ownership. Building a culture of awareness is the key to good cyber hygiene and it starts at the top of any organisation.

Cybersecurity training for all: From juniors to CEOs

Whether a junior team member or the CEO, every employee needs cybersecurity awareness training.

In 2024, KnowBe4 carried out a study[1] and analysed 11.9 million users (across 7 geographical regions) with over 54.1 million phishing simulations. This revealed that 34.3% of untrained users were susceptible to phishing attacks, meaning that 1 in 3 workers could open the door to cyber criminals. This figure dropped to 18.9% after 90 days of training and to 4.6% after 1 year of training. Imagine the difference that regular training and testing could make to your organisation.

Before hiring , organisations should consider appropriate background checks with more stringent measures taken to assess the suitability of those who will handle or have access to the most sensitive information such as administrator access to IT systems.

Once an employee is recruited, appropriate training on risk awareness and compliance should be prioritised. It is easy to target training at individuals who have cyber responsibilities. But what about the rest of the employees? Nobody is immune to phishing or social engineering attacks.

Not all threats come in the form of corporate emails or links. Some of these threats will materialise in an employee's private life including on social media. A fun quiz to reveal your 'superhero' name or your "spy" name might seem innocuous – all an employee needs do is comment with details of their mother's maiden name, the street they grew up on, or their childhood pet's name.  But what seems like harmless fun on social media could actually be the first step to cyber vulnerability in the workplace. Quizzes like this can be intended to trick users into revealing the same information that is used for security questions or common passwords, whether for personal or business accounts.

Making employees aware of these trivia tricks and encouraging them to be cautious about the information that they share online is vital to ensuring that they are keeping the organisation cyber safe.

Essential cybersecurity policies and procedures

Strong cybersecurity culture requires robust policies and procedures in practice.

1. Policy framework for confidentiality and security

Often referred to as an Information Security Management System, a policy framework outlines the organisation's rules for confidentiality and security. The framework should include security objectives and scope, security principles, standards and compliance requirements and roles and responsibilities. The framework must be approved by management, shared with employees and relevant third parties, reviewed regularly, and easily accessible - such as via the intranet. 

2. Policy on use of personal phones for work purposes

These should only be used if the employee has agreed to the bring your own device (BYOD) policy and if the device can be wiped when the employee leaves the company.

3. Securing your physical workspace 

This should be secured with: (i) a clear desk policy; (ii) physical files locked away with limited access; (iii) confidential shredding; and (iv) access controls to the building and procedures to avoid tailgating.

4. Password rules

There should be established rules around password complexity, frequency of changes and sharing.

5. Reporting without punishment

A culture that encourages incident and near miss reporting without punishment must be encouraged.

6. Developing and testing your Incident response plan

A mature incident response procedure must be established, which is regularly tested.

Clear policies and procedures reduce confusion and can be the difference between preventing a threat and experiencing a breach. Employees should understand their role in maintaining security standards, with policies clearly communicated and reinforced through regular training.

When it comes to organisational measures, our cyber security and resilience team help devise or improve your current policies and procedures. We also increase board and employee awareness and preparedness for cyber incidents by developing and testing incident response and breach policies. For further advice on this, contact our Cyber Security and Resilience team.

Footnotes

1 KnowBe4's 2024 Phishing by Industry Benchmarking Report