Your Office Vibe Might Be More Dangerous Than Hackers in Hoodies…
When most people think of cyber security, they picture shady hackers in dark rooms, furiously typing green code into black screens. What they probably don’t picture is Susan from Accounts clicking “confirm” on a dodgy link, or an overworked junior saying “yes” to a suspicious request from someone pretending to be the CEO.
But according to Sarah Armstrong-Smith, the Chief Security Advisor for Microsoft, who delivered a compelling talk at the Festival of Work, that’s exactly where the real danger lies.
People Over Protocols: The Psychology of the Hack
Cyber attackers don’t always rely on sophisticated tools. Often, they just need to understand people. Classic tactics, such as invoking authority by pretending to be a demanding leader, scarcity (a limited-time deal), or urgency (a tight deadline to respond), are all designed to get someone to act before they think. And really, who hasn’t clicked something they probably shouldn’t have after three coffees and a vague sense of dread?
Backing this up, Professor Angela Sasse of UCL frequently cited in UK government research– argues that when companies treat employees as liabilities, they create the conditions for risky behaviour. Overly complex policies, a lack of trust, and blame-heavy cultures don’t encourage diligence; they invite shortcuts.
The solution? Reframe cyber security as a team effort, not a top-down mandate. Support your people, and they’ll support your systems.
Open Doors, Hidden Risks: When Transparency Becomes an Unintended Invitation
Attackers don’t always need to hack in when they can simply walk through the front (digital) door. That’s not a dig at your IT setup, it’s about how companies share information.
For instance, marketing thrives on transparency. Showcasing your team, services, and tools builds trust with prospective clients. But it also gives opportunistic attackers a roadmap. If a prospect can find your org chart, tech stack, and team contact details with ease, so can someone crafting a targeted phishing email.
And it doesn’t stop at public-facing content. Internally, shadow processes—like storing passwords in shared spreadsheets or sending sensitive documents without protection—can quietly introduce risk. Even the well-intentioned habit of sharing files with clients via open links (“no password needed”) can create unnecessary exposure.
The good news? Efforts like the ReSCIND programme, a behavioural science initiative, are working to understand attacker psychology and introduce subtle defences that disrupt it. But ultimately, it’s down to leadership to embed smart digital habits and cognitive awareness across their teams.
Leadership Styles That Open the Door to Risk
Create an environment where empathy is scarce and blame is common, and what you get isn’t compliance—it’s concealment. Mistakes are hidden, suspicious emails go unchecked, and people become too anxious to speak up.
Fear campaigns might grab attention in the short term, but they rarely inspire lasting change. A culture that learns from errors, rather than punishing them, is far more likely to catch threats early and respond quickly.
Instead of asking, “Who did this?” ask, “What can we learn?”
Cyber Security Is a Boardroom Issue
According to the 2025 UK Cyber Security Breaches Survey, 43% of UK businesses and 30% of charities experienced a cyber attack last year—most of them phishing-related.
Yet only 27% of organisations have board-level accountability for cyber security. That’s down from 38% in 2021.
So, not only is company culture a risk factor, but it also isn’t a priority where it matters most.
Your Secret Weapon? Transformational Leadership
Leadership rooted in empathy creates something powerful: psychological safety. In that kind of culture, employees feel confident enough to challenge suspicious requests, ask questions, and report potential breaches without fear of being reprimanded.
When someone gets an email that looks like it’s from their boss but feels off, they won’t freeze or forward it in a panic. They’ll pause, think, and confirm. That’s not paranoia—that’s empowered decision-making.
Introducing Video Arts’ Cyber Security Awareness Courses
At Video Arts, we believe the strongest firewall isn’t a tool—it’s your team. That’s why we’ve launched a brand-new suite of Cyber Security Awareness courses, designed to make learning practical, engaging, and sticky:
- Relatable scenarios: Real-world dilemmas, not dry theory.
- Bite-sized lessons: Designed for busy schedules.
- Narrative-driven content: Join Jade and Derek in our digital whodunnit series.
Because cyber security isn’t just about avoiding danger—it’s about building confidence.
