This informal CPD article ‘Stay Safe Online: Building a culture of cyber resilience against phishing threats’ was provided by LRN Corporation, a dedicated ethics and compliance company, educating and helping people each year worldwide navigate complex legal and regulatory environments and foster ethical cultures.
Every October, Cybersecurity Awareness Month serves as a timely reminder of the need for organisations to prioritise digital safety (4). This year’s theme, “Stay Safe Online,” emphasises simple but powerful practices—using strong passwords, enabling multi-factor authentication, staying alert to phishing attempts, and keeping software updated. But while these measures are crucial, they are only effective when embedded into a broader culture of cybersecurity awareness.
For compliance and risk professionals, the challenge is not only technical. It is deeply human. Social engineering remains one of the most effective tools in a cybercriminal’s arsenal, and phishing continues to be the entry point for a staggering proportion of data breaches worldwide. Sophisticated attacks exploit psychology—curiosity, urgency, or trust—rather than software vulnerabilities. That means the key to building resilience lies in equipping people with the knowledge, confidence, and habits to recognise and resist these manipulations.
Why phishing awareness matters more than ever
Phishing is no longer just about poorly written emails with suspicious links. Threat actors are increasingly deploying tailored, convincing campaigns that mimic senior executives, trusted partners, or well-known brands. They exploit hybrid work environments, mobile devices, and cloud platforms to increase the chances of success.
Research consistently shows that people are the primary target in cyberattacks. A recent report reveals that human-driven factors—phishing, social engineering, and simple mistakes—contribute to around 60% of breaches (3). And with over 95% of successful attacks still initiated through phishing emails, the message is clear: people represent both the greatest vulnerability and the strongest line of defence. The consequences for organisations are severe, ranging from financial losses and regulatory sanctions to reputational damage and the erosion of trust. For compliance leaders, building phishing awareness is no longer optional—it is a core element of risk management.
From awareness to behaviour change
Traditional training programmes often struggle to keep pace with the sophistication of cyber threats. Static modules delivered once a year may raise initial awareness but rarely drive lasting behavioural change. What employees need are training interventions that are timely, relevant, and practical.
This is where phishing simulations are proving transformative (1). By mimicking real-world attacks, simulations give employees the chance to apply their knowledge in a safe environment. Mistakes become learning opportunities, and lessons are reinforced in the moments that matter most. The latest solutions take this even further, delivering targeted, adaptive training precisely when risky behaviours are detected—helping people not only understand what to look for but also build the muscle memory to respond appropriately.
Embedding a culture of data protection
Beyond technology, embedding a culture of data protection requires consistent leadership messaging, policies aligned with best practice, and regular opportunities for employees to practice safe behaviours. Training should not be viewed as a compliance tick-box exercise but as an investment in resilience.
When employees feel confident spotting a suspicious email, reporting an incident, or applying good password hygiene, they become active participants in safeguarding the organisation. This sense of shared responsibility is at the heart of a strong security culture.
Aligning with regulatory expectations
Data protection regulations—from the UK’s GDPR to sector-specific obligations enforced by the FCA and other bodies—make it clear that organisations must take reasonable steps to prevent breaches (2). Effective, demonstrable training forms a critical part of compliance. Regulators are increasingly focused not just on policies written on paper but on whether employees have been empowered to act on them in practice.
Conclusion: A call to action for Cybersecurity Awareness Month
Cybersecurity Awareness Month is more than an annual campaign; it is a rallying point for organisations to reassess how they protect their people and their data. By prioritising phishing awareness, leveraging innovative simulation tools, and embedding a culture of vigilance, organisations can dramatically reduce their exposure to one of the most persistent threats in the digital landscape.
Staying safe online is no longer just about firewalls and software patches. It’s about people—equipped, empowered, and engaged to make the right decisions in the face of ever-evolving threats
We hope this article was helpful. For more information from LRN Corporation, please visit their CPD Member Directory page. Alternatively, you can go to the CPD Industry Hubs for more articles, courses and events relevant to your Continuing Professional Development requirements.
REFERENCES
- National Cyber Security Centre (NCSC): https://www.ncsc.gov.uk/guidance/phishing
- Information Commissioner’s Office (ICO): https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/
- Verizon Data Breach Investigations Report (DBIR) 2025: https://www.verizon.com/business/resources/reports/dbir/
- Cybersecurity and Infrastructure Security Agency (CISA): https://www.cisa.gov/cybersecurity-awareness-month
