In an era of inevitable cyber attacks, training remains your strongest defence, says Phil Chapman, Cybersecurity SME at Firebrand Training.
The British Army’s recent £279m investment in a dedicated cyber defence base tells us something important about where we are with security. Even our most prepared institutions recognise that defending against modern attacks requires sustained investment in people and their capabilities, not just better technology. When the military commits that kind of budget to cyber readiness, it should make the private sector sit up and pay attention.
The pattern is clear enough from recent headlines. Jaguar Land Rover, M&S and plenty of others have learned through painful experience that breaches happen to everyone eventually. What separates organisations that recover quickly from those that make front-page news comes down to how prepared their people were when the attack arrived.
People still make or break your defences
Technology has improved dramatically over the past few years. We have AI-powered detection tools, sophisticated threat intelligence platforms and automated response systems that would have seemed impossible a decade ago. Yet walk through the timeline of almost any major breach and you’ll find the same starting point: someone made a decision under pressure that opened the door. They clicked a link, forwarded an email to the wrong person or used credentials in a way they shouldn’t have. These moments of human judgement determine whether an incident gets contained or spirals into something much worse.
Despite how obvious this seems, most organisations still treat training as something to get through rather than invest in properly. Staff sit through the same generic presentation every year, tick the compliance box, and promptly forget everything they’ve just seen. Meanwhile, attackers are getting better at what they do every single day. Deepfakes are becoming harder to spot, social engineering is more sophisticated and supply chain compromises are exploiting exactly the kind of complacency that comes from treating security awareness as an annual chore.
Training needs to reflect how people actually work
Different teams face entirely different risks, which means they need different kinds of preparation. Your finance department needs to recognise fraudulent invoices and spot when someone is impersonating a supplier. IT teams need a working understanding of vulnerabilities, how to prioritise patching and what to do when something goes wrong. HR handles some of the most sensitive personal data in the organisation, and they need to know how to protect it at every stage. Generic training that tries to cover everything for everyone ends up being useful to no one.
What makes training stick is relevance combined with practice. Tabletop exercises and simulations work because they put people in situations that feel real, with the time pressure and ambiguity that comes with actual incidents. You remember the scenario where you had to decide whether to shut down a system or keep investigating. You don’t remember slide forty-three about password complexity requirements. Hands-on practice builds instincts in a way that theory never will.
There’s also a persistent myth that effective training has to be comprehensive and time-consuming. In reality, regular short sessions beat an annual marathon every time. Threats evolve constantly, and people need frequent reminders to stay sharp. Just as important is building a culture where employees feel comfortable raising concerns and asking questions when something seems off. Small, ongoing interactions do more to embed security thinking than one intensive session that everyone forgets the next week.
Getting the fundamentals right matters more than most organisations realise. Despite all the sophisticated attacks we hear about, the majority of breaches still come down to basic failures: phishing emails that work, weak passwords that get guessed, poor data handling that creates exposure. Addressing these issues properly reduces risk more effectively than investing in advanced tools while leaving the foundations shaky. Specialist training for technical teams and incident responders has its place, but only after you’ve made sure everyone understands the basics well enough to avoid the mistakes that cause most problems.
Regulation is pushing organisations to take this seriously
The UK Cybersecurity and Resilience Bill, which should come into force this year, gives organisations a concrete reason to address their training gaps now rather than later. The bill strengthens requirements for digital service providers and anyone operating critical infrastructure, tying regulatory expectations to frameworks like the NCSC Cyber Assessment Framework. What this means in practice is higher standards for governance, risk management, and operational resilience, all of which depend on having capable people throughout the organisation.
The bill also tightens mandatory incident reporting timelines. Organisations have 24 hours to notify the NCSC about cyber incidents, while the existing 72-hour window for reporting personal data breaches to the ICO remains in place. Meeting these deadlines under the pressure of an active incident requires more than having the right procedures documented somewhere. You need people across different departments who can recognise what’s happening, understand who needs to be told, and act quickly without panicking or waiting for perfect information.
Rather than seeing this as just another regulatory hurdle, organisations should treat it as useful external pressure to do things they probably should have done anyway. Review your policies, update your incident response plans, and work out where your training gaps actually are. A mature security posture doesn’t come from buying the right tools and hoping for the best. It comes from having clear governance, regular practice, and people who know what they’re doing when something goes wrong.
The skills gap won’t fix itself
Training your existing staff only gets you so far. The wider industry needs to invest in developing the next generation of security professionals through apprenticeships, structured learning pathways, and proper early-career development programmes. Without this kind of pipeline, the UK is going to struggle to meet the demands coming from emerging technologies like cloud and AI. The teams we have now are already stretched thin and dealing with unsustainable pressure. That situation only gets worse unless we’re actively building the workforce we’ll need in five years.
Preparation matters more as attacks get harder to stop
Attackers will keep getting better at what they do. Social engineering will become more convincing as deepfakes and AI-generated content improve. Supply chains will remain vulnerable because they involve so many moving parts. The barrier to launching sophisticated attacks will keep dropping as tools become more accessible. In this environment, having prepared and capable people throughout your organisation becomes more important, not less.
The British Army clearly understands this, which is why they’re investing hundreds of millions in cyber defence capability. That money isn’t just going towards buildings and equipment – it’s a recognition that effective defence depends on having the right people in place with the right training and support. The private sector needs to follow the same logic.
Organisations that treat training as a strategic priority rather than a compliance exercise end up in a fundamentally different position when an incident happens. They have teams that know what to do under pressure, cultures where security is part of everyone’s job rather than just IT’s problem, and resilience that no amount of technology can create on its own. When the inevitable attack comes, and it will come, being prepared is what separates a manageable incident from a career-ending disaster.
