Are we in a cyber awareness crisis?

New research suggests UK organizations are sliding into a cyber awareness crisis, with CISOs under mounting pressure as employee vigilance declines.

According to Proofpoint’s 2025 Voice of the CISO report, only 57 percent of UK CISOs questioned believe staff understand their role in protecting the organization, down from 84 percent last year.

With three quarters (74 percent) reporting a material data loss in the past year, more than doubling the previous year (34 percent), and over half (56 percent) of all respondents citing human error as the leading vulnerability, this issue cannot be ignored.

Making training stick

Relying on sporadic training and occasional phishing simulations may achieve compliance and satisfy audit requirements, but doesn’t lead to lasting behavior change, says Will Candrick, senior director analyst at Gartner.

To improve cyber awareness, organizations need to move beyond box-ticking exercises and build engagement through relevance and creativity. This is the advice of Simon Backwell, a member of the Emerging Trends Working Group at professional association ISACA, and head of information security at software company Benefex. He advocates for interactive, rather than static training, where employees can explore why something was suspicious, as they learn by doing, rather than guessing the right answer and moving on.

“If you’re doing that repetitively, people stop paying attention,” he tells ITPro. We tried to make it engaging and relevant, not just about what happens at work, but also in personal life: romance scams, catfishing… things that make people realize this affects them or their families. That’s when it clicks.”

Taking things a step further, Backwell and his team went as far as to write their own awareness course as an audio drama. People could listen whenever suited them, and they found it more engaging.

“It took time to create – scripts, editing, recording etc. – but the impact was huge. People actually asked when the next one would come out, which I’ve never seen before in all my years of security training. Doing it internally takes time, but you get better buy-in because it reflects your company culture. People recognize their colleagues in the stories.”

A widening gap

The steep drop in UK CISO’s confidence in employee cyber awareness illustrates a widening gap between knowing and doing, however. Proofpoint reported that two thirds of CISOs questioned believe staff understand good security practices, highlighting that “it’s not that awareness training has stopped working, it’s that awareness alone no longer cuts it,” says the company’s EMEA cybersecurity strategist Matt Cooke.

He adds that CISOs see the pace of change presenting new risks that erode their confidence. Cyber awareness and education have long focused on the risk of phishing and social engineering, but the introduction of AI and agentic workspaces bring with them risks that many security teams are only just starting to understand.

Not only does AI present new risks from its use within the business, but also from the way criminals are using it. “Email phishing attacks frequently use gen AI chatbots, and vishing attacks, such as robocall scams, now use deepfakes,” notes Candrick. “AI puts social engineering on steroids, yet cybersecurity leaders are still using the same awareness measures that were already insufficient.”

While regulatory pressure will play a role in improving AI-related cybersecurity, regulations will always struggle to keep pace, especially in the UK where the process takes time. For example, the EU’s AI Act and Data Act is only now filtering through, much like GDPR did back in 2018, says Backwell. But with how fast AI is advancing – almost weekly – these rules risk becoming outdated as soon as they’re released.

“Organizations can’t afford to wait; they need to act now based on best practice, not just compliance,” he advises.

Dynamic nudging

With regulation playing catch-up, many experts argue that the answer lies not in more rules, but in smarter human engagement, starting with a renewed focus on behavioural change.

Cyber awareness should evolve from compliance training to dynamic nudging, says Candrick. This new approach focuses on monitoring individual employee behaviors and sending in-the-moment nudges that guide them toward safer habits.

“To illustrate this point, consider car safety,” says Candrick. “Speed limit signs represent a traditional compliance approach to security awareness. People receive occasional reminders of the rules. But as we all know, many drivers still speed and many employees still take risky action.”

“Modern cars embrace dynamic nudging, featuring built-in safety features such as lane departure warnings, automatic emergency braking and blind spot monitoring. Modern cars keep drivers safe, just as dynamic nudging in the workplace is poised to reinforce safer employee habits.”

These can be delivered via messaging platforms such as Microsoft Teams or Slack, directly to individuals based on their actual behavior. “For instance, if a sales associate emails a sensitive contract, they might get a Teams message suggesting safer file-sharing methods. Similarly, an engineer using personal genAI chatbot could receive a message guiding them to the enterprise large language model (LLM),” he says.

Pressure intensifies

The Proofpoint report also found that two thirds of the CISOs say expectations of their role are excessive and that they feel personally accountable for incidents. “You can’t hide behind the company anymore. Regulators and boards are increasingly naming CISOs in investigations, and that changes everything about how you operate,” notes Backwell.

Thankfully 61 percent of those questioned in the report stated that their organizations have taken steps to protect them from personal liability. Nevertheless, over a third (42 percent) still feel under-resourced to meet their objectives, with board alignment dropping substantially, from 84 percent in 2024 to just 57 percent this year.

“As board alignment weakens, CISOs have to work harder to translate cyber risk into business impact, because boards now rank business valuation as their top post-incident concern,” says Cooke. “At the same time, they’re expected to drive secure innovation with AI, streamline complex tech stacks and keep resilience front and center. In short, it’s a bigger, broader and more exposed role than ever.”

Despite all these challenges, experts agree the situation isn’t hopeless. The move to dynamic nudging and behavioral reinforcement simply marks a turning point for cybersecurity culture, and its CISOs that are leading the way.

However, the responsibility for awareness can’t rest on one pair of shoulders alone. Building resilience means shifting from compliance to culture, and from training to trust. “We’ve got to meet people where they are. It’s not about lecturing them anymore; it’s about making security part of how they work every day. If we can do that, we’ll turn awareness into resilience,” Backwell concludes.