For every organisation, technical security controls are essential, whether that’s firewalls, endpoint protection or email filtering. Yet, for a lot of businesses that have those in place, and for SMEs and NFPs especially, breaches still happen.
Why? Most attackers don’t break down computer systems; they target people instead. The Government’s latest cyber breaches survey shows that phishing is the most common type of attack, and rather than being sophisticated are in fact pretty rudimentary.
They’re designed to look like legitimate emails, create urgency and rely on someone making the wrong decision at the wrong time. It emphasises why having a clear understanding of what threats look like and how to deal with them should be part of your security approach.
Where attacks surface
Despite rapid advances in technological capability, most cyber attacks are still built around deception rather than intrusion. A well-written phishing email can bypass advanced filtering, while a convincing supplier impersonation can trigger a legitimate payment. A fake login page can capture credentials without touching your IT environment. In each example, the attacker is exploiting normal human behaviour, rooted in trust, urgency or routine.
It’s particularly effective when it targets SMEs and NFPs because both tend to operate with smaller teams, limited IT resources and are heavily reliant on email and cloud platforms. With organisations of this size, there’s often an added layer of trust between staff, stakeholders and clients which attackers look to exploit.
It means people become the primary attack point, not because they’re incompetent or careless, but because they’re being directly targeted.
How to create a human firewall
The best way to think about your people in this context is as an extension of your security control. Users that can spot suspicious emails or question unusual requests will actively reduce risk – early reports of which can significantly limit the impact of an incident.
If your users can respond to threats in that way, they become a human firewall; for that they don’t need to be experts, they just need to have the awareness to spot common threats and report them in the right way. It’s an approach endorsed by security bodes like the NCSC and ICO, and one regarded as a component of a strong layered approach to cyber security for SMEs and NFPs.
Unfortunately, in most organisations, security awareness is treated as compliance, rather than as active training. It’s an important distinction. Behaviour doesn’t change if it’s not challenged regularly. One-off exposure won’t do much because people forget and threats evolve. So, without reinforcement, training doesn’t stick and it becomes disconnected from daily reality.
Effective awareness training is, however, continuous and not annual, and practical rather than theoretical. It reinforces learning through real-world scenarios and is measurable – so organisations can see how user risk is changing over time.
How to make awareness operational
This is where platforms like Usecure come in. Rather than relying on manual training cycles, Usecure automates the process; users receive ongoing bitseized training tailored to common threats – things like simulated phishing campaigns that test behaviour in practice. In turn it provides visibility into where risks are improving or persisting.
This is huge for SMEs and NFPs because it removes the overhead of designing and managing an internal training programme, while making user awareness a consistent, embedded part of operations. And while it’s not a replacement for technical controls, it will strengthen the layer that attacker most frequently target.
Security is a learned behaviour
Security is as much about how you behave as an organisation as it is about the technical controls you have in place. It’s especially important for small organisations that don’t have dedicated IT team.
When the people on the ground are informed – those opening emails and handling data - they become a meaningful line of defence. The strongest organisations don’t just protect their systems, they build teams that can protect them too.
Need a cyber security 101 without the jargon? Our CTO Patrick Burgess is hosting a free webinar with our partners uSecure on May 12.
They’ll cut through the noise and tech jargon to focus on the cyber security basics that really matter for SMEs.
No sales fluff just practical, common‑sense guidance you can actually act on.
You can find out more and sign up here: https://app.livestorm.co/nutbourne-ltd/cyber-security-non-negotiables-dont-be-that-company