Building Resilience Through Cyber Training with Anthony Lamont

In today’s digital landscape, cyber security is more than just a technical challenge. While businesses invest heavily in firewalls, monitoring, and encryption, human behaviour remains one of the most significant vulnerabilities. Employees, contractors, and partners all play a role in how secure a business truly is.

This article draws on insights from one of our Associates, Anthony Lamont, an expert in human risk management, to explore practical ways businesses can strengthen their cyber resilience. The answers below combine real-world experience, practical steps, and a focus on human behaviour as the cornerstone of cyber security.

How can businesses determine which users are truly the highest risk beyond senior leaders?

Each business must define what constitutes a high-risk role based on responsibilities, access, and the potential impact of a security breach. High-risk roles generally include staff with access to sensitive information, critical systems, financial resources, or privileged accounts. For example, if a system administrator’s credentials were compromised, cyber criminals could install malware across critical systems.

A robust approach is needed that combines industry best practices with internal analytics. Start by reviewing access rights, privileged accounts, and behavioural telemetry to identify potential anomalies and high-risk activity.

Close collaboration with cyber security defence teams ensures that risky behaviours are detected and remediated. This approach delivers a well-informed view of high-risk users, drawing on regulatory guidance, recognised industry standards, and continuous internal risk monitoring.

How can businesses assess whether high-risk users are receiving sufficient training?

Sufficient training is bespoke, continuous, and relevant to the individual’s role. Most staff receive annual mandatory training, but high-risk users require context-specific training that explains why they are being trained beyond mandatory sessions. It’s important to clearly explain why they are being targeted, what they know, and the privileged or sensitive access they hold.

Training must be continuous and timely. Cyber threats evolve rapidly, so organisations need a dynamic approach to awareness. Use a mix of channels, such as microlearning modules, manager-led cascades, email updates, intranet articles, posters, phishing simulations, and leadership messages to keep cyber security top of mind.

Content should adapt to emerging threats, and close collaboration with cyber risk teams is critical to ensure relevance.

How can businesses track and address repeated risky behaviour?

Behavioural monitoring cannot rely on training alone. Integration with technical platforms is essential. Microsoft 365 provides tools to monitor risky behaviour and run phishing campaigns.

In addition, there are a number of human risk platforms that can aggregate data from multiple sources, such as email security, system access, collaboration tools, and web activity into a single view. This enables organisations to assess risk at the individual, departmental, and enterprise level, providing actionable insights to strengthen overall security posture.

Monitoring pre- and post-training behaviour, such as phishing click rates or reporting rates, provides a clear measure of effectiveness. High-risk scores should improve over time if training is effective. Continuous reinforcement ensures staff remain vigilant and aware, not only during training periods but at all times.

How do businesses keep training relevant as cyber threats evolve?

Training should be guided by cyber risk teams who assess threats, prioritise actions, and categorise risks by severity. These teams often leverage risk management platforms to track requirements and progress.

Training must align with relevant legislative and regulatory frameworks, such as data protection laws, industry standards, and national cyber risk guidance, to ensure compliance while addressing real business risks. This approach ensures education and awareness is practical, targeted, relevant, and responsive to evolving threats.

Additionally, understanding your audience is critical. Employees, contractors, third parties, and partners across office and field environments require tailored communication. Factors such as device type, job role, and work patterns influence how people engage with training. Large, diverse workforces, often spanning thousands of employees and external staff, typically demand flexible approaches. Therefore, training must accommodate this diversity to ensure effectiveness and relevance.

How can businesses measure whether training leads to real behaviour change?

Measuring effectiveness requires more than satisfaction surveys or basic knowledge quizzes. Organisations should identify risks before training, what issues they are trying to resolve, and then track behavioural changes afterward. Phishing simulations are a strong example: monitoring metrics such as click rates, reporting rates, and other risky actions helps determine whether high-risk individuals are becoming more vigilant.

Human Risk platforms can also automatically capture risk data and calculate risk scores to help businesses assess training effectiveness over time.

How can businesses ensure third parties follow the same security protocols and behaviours?

Third- and fourth-party risks add significant complexity to an organisation’s security posture. From an education perspective, businesses should treat internal employees and contractors as part of a unified workforce, ensuring a consistent baseline of security education for all. Training at onboarding, ongoing training, and continual awareness campaigns.

Additionally, high-risk third-party personnel who have been outsourced privileged system access should receive sufficient and comprehensive training equivalent to that provided to internal admin staff, including industry certifications (e.g., Cyber Essentials).

Close collaboration with third-party assurance teams is vital. Contracts should be reviewed and clearly state that staff must be competent and trained to a required standard.

What does the Ministerial Letter on Cyber Security mean for training?

The Ministerial Letter on Cyber Security highlights that education and awareness are no longer optional but mandatory as part of the UK’s Cyber Governance Code of Practice. Businesses, particularly board members, must ensure there is an effective cyber security training programme in place and a positive security culture. Cyber criminals often exploit human behaviour, and a single social engineering attack can result in losses of hundreds of millions. A comprehensive and well-informed training and awareness programme will help mitigate those risks.

I would recommend a designated board representative be accountable for all cyber security training across the organisation. Senior leaders must drive the training agenda from the top, while middle managers reinforce it across all teams. Leaders must ensure education and awareness is fully integrated into the cyber strategy, resourced adequately, and maintained as a continuous, organisation-wide programme.

Credits

Anthony lamont

Platform Smart Associate - Senior Cyber Training Consultant
LinkedIn

Human behaviour remains the biggest factor in cyber resilience. Platform Smart helps organisations identify high risk users, deliver tailored training, and drive meaningful behaviour change. If you want to strengthen your security culture and keep pace with evolving threats, get in touch today.