Knowledge base › Security awareness

Cybersecurity awareness for businesses: build a security culture

Technical measures are necessary but insufficient. Lasting cybersecurity requires employees at all levels to understand what security means and how they contribute to it daily. This article explains why businesses need a security culture and how to build one.

Why businesses need cybersecurity awareness

Cybercrime costs Dutch businesses billions of euros every year. But most damage does not start with a sophisticated technical attack - it starts with an employee who clicks a link, opens an attachment or enters their password on a fake page.

For SMEs this is particularly acute. They typically lack a full cybersecurity team but hold valuable data: customer records, financial information, intellectual property. They are an attractive target precisely because their defences are on average less robust than those of large organisations.

Statistic: 60% of SMEs that fall victim to a cyber attack go out of business within six months as a direct result of the damage. Awareness training is the most cost-effective prevention.

What is a security culture?

A security culture is more than a security policy or an annual mandatory training session. It is the state in which employees at all levels - from management to intern - treat cybersecurity as a shared responsibility and act on it daily.

Signs of a strong security culture:

  • Employees actively report suspicious emails without fear of negative consequences
  • Management leads by example (strong passwords, MFA, no shortcuts)
  • Cybersecurity is an organisational issue, not just an IT issue
  • Incidents are discussed as learning moments, not mistakes to punish
  • Training is a continuous programme, not an annual checkbox

How to build cybersecurity awareness in your business

A practical five-step approach:

  1. Measure (baseline): Run a phishing simulation to measure the current awareness level. Without measurement you don't know where you stand and cannot demonstrate improvement.
  2. Train: Offer targeted e-learning modules based on the simulation results, focusing on the departments or scenarios showing the most vulnerability.
  3. Communicate: Make cybersecurity a recurring topic in team meetings, onboarding and internal communications. Share current threats and real-world examples.
  4. Set policy: Ensure employees know what to do in the event of an incident: who to call, how to report, what not to do. A clear incident response plan dramatically reduces damage.
  5. Repeat and measure: Awareness fades without maintenance. Plan quarterly or bi-annual repetitions and measure the effect with new simulations.

Legal obligations for cybersecurity awareness

NIS2 Directive

Organisations in essential sectors and their suppliers must take demonstrable measures, including awareness training for employees. Non-compliance can lead to significant fines.

ISO 27001

This international information security standard requires demonstrable awareness and training measures as part of the Information Security Management System (ISMS).

GDPR

After a data breach, regulators examine whether you took "appropriate technical and organisational measures". Awareness training is a direct fulfilment of that organisational requirement.

Cyber insurance

Insurers increasingly require awareness training as a condition of cyber cover, or reduce premiums when you can demonstrate that employees are trained.

The role of management in cybersecurity awareness

Security culture starts at the top. When management visibly prioritises cybersecurity - participating in training, discussing phishing simulations in executive meetings, being transparent about incidents - it signals that security is taken seriously.

Conversely: if employees see the CEO leave their laptop unattended or share a password, no programme will have lasting effect.

Discuss your situation Security awareness training