Our Staff Keep Clicking Phishing Emails. How Do We Build a Truly Cyber-Safe Culture?

The Andraluma Compass - By Marco LAM

You've invested in the best firewalls. You've subscribed to the top anti-malware software. You even run quarterly phishing simulations that generate a pass/fail report. Yet, the dreaded email notification arrives from your IT team: 'A user has clicked on a malicious link.'

After the incident, the leadership team is often baffled. 'But we have the best security systems money can buy!' they say. And they are right; their technical defences against a brute-force hack are likely world-class. But they are missing a crucial distinction. Most 'hacks' today are not technical; they are social engineering. There is no system on earth that can protect an employee who is tricked into willingly giving away the keys to the kingdom. It's the digital equivalent of handing your wallet to a con artist on the street.

Part of why our standard training fails is that we mystify the threat. We use scary, technical jargon that makes the problem feel distant and complex. In reality, we are putting all crime that happens on the internet into the basket of 'cybersecurity.' The truth is, these are often the same scams that have existed for 50 years; the criminals are now just using AI and email as their tools.

This reframing is the first step. The second is to change our entire approach from one based on fear to one based on confidence. For years, we've told our staff "Don't click this!" and "Beware of that!" This fear-based training is counterproductive. It creates anxiety, not vigilance. A truly secure culture is not built on fear; it's built on "Confident Vigilance." This is a state of calm awareness where employees feel empowered to trust their intuition and question things that feel "off," transforming them from a potential liability into your greatest security asset.

So, how do we build this culture?

1. Understand the 'Why' Behind the Click

We must start with empathy. For example, I understand that mature staff are often more susceptible to scams, not because they are careless, but because their worldview was shaped when the written word carried more authority. An official-looking email or a professional website naturally gains their trust and attention in a way it might not for a digital native. Effective training acknowledges this reality with respect, rather than simply blaming the user.

2. Use Dialogue to Explore the "What Ifs"

Instead of just teaching rules, our training approach explores the grey areas of human decision-making under pressure. We use a 'What If' method. We ask the questions your employees are silently asking: 'What if we pay this invoice after the due date?' to challenge the false urgency scammers create. 'What if the CEO really needs me to do this now?' to navigate the fear of disobeying authority. By talking through these scenarios, we build resilient, critical thinking, not just brittle rule-following.

3. Celebrate the Question, Not Just the Answer

A culture of "Confident Vigilance" requires psychological safety. An employee must feel completely safe to raise their hand and say, "This email feels a bit strange, can someone look at it with me?" We must build an environment where an employee is praised for forwarding a suspicious email to IT, even if it turns out to be legitimate. This action—the act of questioning—is the behaviour we want to reward, as it’s the cornerstone of a truly cyber-safe culture.

Firewalls and software are essential, but they are the wall around your city. Your people are the guards on that wall. A culture built on fear makes for jumpy, unreliable guards. A culture built on confidence, respect, and critical thinking creates the most vigilant and effective defence you could ever hope for.

Further Reading :

1. The "Human Element": The Official CISSP Perspective

• Link: https://www.isc2.org/resource-center/blog/2022/10/25/its-time-to-rethink-the-human-element-in-cybersecurity

• Why it's valuable: I have mentioned my CISSP credential in the post. This article from ISC2, the official body for the CISSP, argues for rethinking the "human element" as the first line of defence, not the weakest link. It perfectly and authoritatively supports the core thesis.

2. Understanding the Threat: Social Engineering

• Link: https://www.cisa.gov/news-events/news/social-engineering-and-phishing-attacks (from the US Cybersecurity & Infrastructure Security Agency - CISA)

• Why it's valuable: This page from a major government cybersecurity agency provides a clear, official definition of social engineering and phishing, adding weight and credibility to your claims.

3. Building the Culture: A Guide from SANS Institute

• Link: https://www.sans.org/security-awareness-training/blog/building-security-culture

• Why it's valuable: The SANS Institute is one of the most respected security training organizations in the world. This article provides a framework for building a security culture, validating the approach of moving beyond simple awareness to changing behaviours and creating a positive environment.