Drew Hendry

Culture: The Line of Defence Nobody Can Buy

Culture: The Line of Defence Nobody Can Buy: Here is a question worth sitting with for a moment.

If someone on your team clicked a suspicious link today, would they tell you? Not eventually. Not after trying to quietly fix it themselves. Immediately – would they pick up the phone or walk to your desk and say: I think I may have made a mistake?

If there is any hesitation in your answer, your biggest cyber risk is not technical. It is cultural.

This was one of the clearest messages to come out of Aviemore. Ken Ross shared his experience: how quickly you report a mistake affects the damage done. Mark Gallagher said it clearly: Cybersecurity is a people problem. It’s not just an IT issue. Heather Lowry defined resilience as a shared strength. She used the Scottish Government Strategic Cyber Resilience Framework to explain this. The organisation builds this together. It’s not just one team’s job.

WHAT BLAME CULTURE COSTS A BUSINESS

When staff are scared to admit mistakes, they stay quiet. This happens when they click a link or open an attachment by mistake. The breach goes unreported. The attacker remains inside the system, undetected, for days or weeks. By the time anyone notices, the damage is far greater than it would have been if an immediate report had been made.

Gordy McDonald noted a pattern he sees repeatedly in incident investigations. The click was compromised days or even weeks before the organisation noticed anything wrong. In every case, faster reporting would have significantly contained the harm. The difference between a managed incident and a catastrophic one is often not the sophistication of the attack. It is how quickly someone said something.

WHAT IS REALLY HAPPENING

Culture is set at the top and felt at the bottom. If leadership treats cyber mistakes as failures to be punished, staff learn to hide them. If leadership treats them as information to act on immediately and without judgment, staff learn to report them. That difference is often the biggest security choice a business owner makes. Yet, most don’t see it as a security decision at all.

Heather Lowry flagged a detail that sits at the edge of culture and process: former employees. If a member of staff left last month and their remote access credentials were never revoked, that is a live vulnerability. It does not require any malicious intent. Poor offboarding is enough. HR and IT need to talk to each other the moment someone leaves or changes roles – not at the next scheduled review.

WHAT A RESILIENT CULTURE LOOKS LIKE

Leadership owns cyber as a business issue, not a technical one. There is a clear, explicit, repeated message from the top that reporting a mistake will never result in punishment. Staff awareness stays strong with small, regular reminders. This is better than one big training session that everyone forgets by the next week. And when someone leaves, access is revoked that day – not assumed to lapse, not added to a to-do list.

ACTION THIS DAY

1. Send one message to your whole team today. It does not need to be long. If you think you’ve clicked something suspicious, shared something you shouldn’t, or seen something strange, let us know right away. You will not be in trouble. Fast reporting is what protects us all. That one message cuts your real-world risk more than most technical controls. It eliminates the delay between a problem happening and you finding out.

2. Check your offboarding process right now. Think of the last person who left your organisation. Is their email access fully revoked? Is their remote login closed? Have any shared passwords they knew changed? If you are not certain, find out today.

CONVERSATION TO HAVE WITH YOUR TEAM

At your next all-staff or team meeting, ask: if you clicked a suspicious link by accident, what would you do? Listen carefully to the answers. If someone says they want to wait and see what happens, or handle it quietly, that’s the conversation to have. It shouldn’t feel like a reprimand, but a real talk about how the team works and what you expect from one another. The answer you are building towards is simple: I would tell you immediately, and I know that would be the right thing to do.

This is Article 6 in the Cyber Resilience for Business Owners series. It’s based on the Highlands and Moray Chambers Joint Cyber Resilience Event held in Aviemore in February 2026.

Speakers:

Related Posts