Cybersecurity Awareness Training: A 7-Step Guide to Building a Security Culture

Article

Most organisations invest in firewalls, endpoint protection, and monitoring tools… Yet breaches keep happening. That’s because the majority trace back to human behaviour. 

 

That is not a criticism. It’s an opportunity. 

 

That’s because human behaviour can be changed, so long as the right culture is in place. And building a genuine security culture means shifting how your people think about and respond to threats every day, not just in the midst of a breach.

Trustack MSP Cyber Security, IT Services, IT Support. A person in a red long-sleeve shirt types on a laptop keyboard, illustrating the importance of DLP in business security. The image, taken from above, shows the screen’s white light illuminating the hands and keys.

In this piece, we’re going to explore the steps you should take to establish a security culture that sticks. For those of you pressed for time, just look at the following seven steps: 

 

  1. Choose two behaviours to change 
  2. Design a plan to influence them at scale 
  3. Secure buy-in from leadership 
  4. Communicate the “why” 
  5. Execute with flexibility 
  6. Measure the results 
  7. Plan the next cycle 

 

For those of you who want the detail, stick with me. We’ll go through each step so you can take this back to your team and build a lasting security culture.

What Is Security Culture and Why Does It Matter?

In plain terms, security culture is what your people do when no one is watching. 

 

Employees who understand threats make better decisions like spotting phishing attempts and reporting suspicious activity while following

company policies. 

 

With that definition in mind, let’s get to how we can actually build it. 

Step 1: Choose Two Behaviours to Change

You should start narrow. Trying to change everything at once guarantees you change nothing meaningfully. 

 

How to identify the behaviours: 

  • Run a Security Culture survey to learn where you currently stand across key dimensions: attitudes, behaviours, compliance, communication, and norms. 
  • From our experience, the behaviours most UK SMEs will want to start with are phishing awareness and credential hygiene. 

 

With your behaviours identified, it’s time to make a plan. Expect this first cycle to play out over a quarter or two. 

Step 2: Design a Plan to Influence Those Behaviours at Scale

You cannot be everywhere. Your plan needs to scale beyond your team, without your constant oversight. 

 

How to design your plan: 

  • Think of this like a technology rollout. Map dependencies, identify failure points, build in contingency. 
  • Identify security champions across the business. Who else in your organisation is naturally security-conscious and trusted by their peers? 
  • Understand how you will drive change both formally (policy updates) and informally (social modelling by leaders and champions). 

 

Invest time in briefing your champions and making them feel ownership over the programme; they will be key to making it happen. 

Step 3: Secure Leadership Buy-In

No cultural shift succeeds without visible support from the top. 

 

How to get leadership buy-in: 

  • Prepare a short executive summary. Focus on business risk and consequences, not technical detail. 
  • Ask for a specific, low-friction commitment. A mention at an all-hands meeting or a signed communication carries significant weight. Bonus points for writing it on their behalf so their commitment is as frictionless as possible. 
  • Pitch it simply. 

 

Ransomware is our biggest exposure. I want to reduce it by improving how staff spot and report phishing. I need your backing for a short programme and five minutes at the next all-staff. 

 

Executives are the most visible employees of any company, so having them publicly on board is important. They can help acquire champions for you, as well. 

Step 4: Communicate the 'Why', Not Just the 'What'

Telling people to lock their screens means little without context. Explaining that an unlocked screen can take less than 60 seconds to compromise, and that this has happened in organisations like yours, lands much better. 

 

How to apply this: 

  • Frame every communication around personal relevance. People (bless them) are selfish; they’ll act when they understand the threat to them, not just the organisation. 
  • Use multiple channels: email, intranet banners, team briefings etc. Repetition matters, and not everyone will engage with your comms in the same way. 
  • Keep your tone supportive. Position the security team as an ally rather than an enforcer. 

 

Explaining the reasons behind each change will hammer home the personal relevance of the project. 

Step 5: Execute (With Flexibility Built In)

A well-designed plan still needs room to adapt; no plan survives first contact with the sales team… 

 

How to execute: 

  • Define what success looks like before you start. Set measurable targets (e.g. phishing report rates). 
  • Communicate progress as it happens. Celebrate early wins visibly, across those same channels you’ve been rolling the plan out on. 
  • Expect some pushback. People resist change. If you acknowledge friction points, and resolve them where possible (communicating when you do), you’ll build the trust you need. 
  • Keep champions informed and supported throughout. They are your early warning system if something is not landing. 

 

So long as you’re listening out for criticism and examining how the plan can be adapted, you’re in good shape. 

Step 6: Measure Results

What gets measured gets improved. This protects your programme’s budget and support (especially from those execs we talked about earlier). 

 

How to measure effectiveness: 

  • Run a follow-up Security Culture Survey and compare results against your baseline from step 1. 
  • Quantify where you can: reduction in phishing click rates, increase in incident reports, drop in help desk tickets related to security issues – anything relevant. 
  • Write a brief results summary for leadership.  

 

Hard numbers make future buy-in far easier to secure. (Remember executives want outcomes, not process detail).

Step 7: Plan the Next Cycle

Security culture is not a project with an end date. It is an ongoing programme that you’ve just signed up for! 

 

How to plan your next steps: 

  • Review your threat landscape. Check whether your priorities still reflect the current risk environment. Is identity hygiene still key? Or has a new threat emerged? 
  • Gather feedback from your champions. They will surface insights you will not get from surveys alone, no matter how anonymous they are. 
  • Decide whether to deepen the behaviours from the last cycle or introduce new ones. (Never abandon previous gains). 
  • Go back to step 1. 

 

With each iteration, the process gets smoother and the culture shifts further in the right direction.

Bringing It All Together

Cybersecurity awareness training works best when it sits inside a structured, repeating programme, not as an annual video and a quiz.  

 

If you want to see what this looks like in practice, Trustack offers a proof-of-concept of our human risk management platform.  

 

You will see what our data-led training programme looks like for your organisation before committing to anything.