top of page

Building a strong cyber security culture: advice from the NCSC

Employees are the crucial first line of defense. A robust cyber security culture transforms attitudes and behaviors throughout an organisation. The UK’s NCSC lays out six foundational principles to guide this transformation. Here’s how businesses can bring them to life...


ree

1. Frame cyber security as an enabler, not a barrier


Security shouldn’t be seen as a roadblock to productivity - it protects the systems that keep your business running.


  • Make it relevant: Explain how security policies support business goals. For example, secure practices can preserve customer trust or ensure service availability.

  • Collaborate: Work with teams to ensure tools and workflows remain efficient and secure.


2. Foster trust and openness


Employees must feel safe to speak up when things go wrong - without fear.


  • Adopt a zero-blame approach: Encourage swift reporting of concerns or mistakes. Investigations should be framed as learning opportunities.

  • Make reporting simple: Tools like accessible forms or dedicated email addresses help people raise issues easily.


3. Adapt and learn continuously


The cyber threat landscape evolves rapidly - your culture must keep pace.


  • Encourage flexibility: Embrace improvements, from new tools to revised policies.

  • Manage “change fatigue”: Roll out updates thoughtfully, allowing staff time to adjust.


4. Align social norms with security


Informal workplace habits can undermine even the best policies if ignored.


  • Understand current norms: Identify shortcuts employees take (e.g., sharing passwords or bypassing procedures) and why.

  • Leverage positive examples: Highlight employees who practice good habits and let them influence peers.


5. Leadership must model secure behavior


The tone from the top matters. Employees follow what they see.


  • Leading by example: Executives and managers must adhere to policies - they set the cultural standard.

  • Communicate security as a shared responsibility: Making it part of every decision reinforces its importance.


6. Provide clear, practical guidance


Policies must be usable - not overwhelming or inaccessible.


  • Keep language simple: Avoid jargon and ensure rules are easily understood.

  • Regularly update: Remove outdated guidance and make refreshed documents visible and clear.


ree

Bringing principles to life: practical tactics


  1. Tailored Training & Gamification


    Use scenario-based simulations - like phishing drills or interactive modules - to make learning engaging and relevant.


  2. Psychological Safety in Exercises


    Phishing simulations should educate, not punish. Encourage discussion rather than embarrassment.


  3. Empower with Tools & Resources


    Promote free NCSC assets like Top Tips for Staff and the Suspicious Email Reporting Service - easy for teams to adopt.


  4. Encourage Cyber Essentials Certification


    Achieving Cyber Essentials offers basic cyber protections and may reduce insurance risks - yet uptake remains low.


Why this matters


In the UK, 39% of office workers reported they would not inform their cyber teams if they suspected an attack - often due to fear of blame or repercussions. This kind of silence leaves organisations vulnerable to escalating threats. A no-blame, supportive culture is essential to ensure timely reporting and effective response.


Final thoughts


Cultivating a cyber security culture isn't about heavy-handed rules or technical barriers. It’s about fostering understanding, trust, adaptability, and clarity across all levels of your business.


By following the NCSC’s six principles and embedding them into daily operations - through leadership, engagement, tools, and messaging - organisations can build resilient and empowered teams ready to protect what matters most.


Security Awareness Training


Our security awareness training helps staff understand their working environment, giving them the confidence to speak up when something doesn’t look right.

The training is focused on those with little or no cyber security or technical knowledge and is delivered in small, succinct modules using real world examples. 

Awareness training is tailored to each individual audience to provide the right level of skills and context for your business. The trainers are highly knowledgeable, personable and friendly and pride themselves on providing the right environment for your people to feel comfortable and to ask questions.


Book your training here: Security Awareness Training


Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).


 
 
 

Comments

The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.

 

EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page