Recent cyberattacks targeting major retailers have revealed a troubling trend: threat actors are bypassing technical safeguards and exploiting the human element through social engineering. These incidents underscore the urgent need for organizations to pivot away from a purely technological focus and place people at the center of their cybersecurity strategies.
Moving Beyond the Annual Training Checkbox
For many organizations, cybersecurity training has become a box-ticking exercise. The typical annual e-learning module, completed with the sound off while juggling other tasks, has little impact on actual behavior. As identified by the U.S. National Institute of Standards and Technology (NIST) in its Human-Centered Cybersecurity program, this outdated approach falls short.
NIST’s research emphasizes that effective cybersecurity requires more than awareness — it requires behavior change. That shift starts with understanding people.
Start With Understanding Your Workforce
Organizations are diverse. A customer service rep in a retail HQ operates in a vastly different environment than a warehouse manager or a field technician. Even within a single company, regional, cultural, and departmental differences can shape how messages are received and acted upon.
Recognizing these differences isn’t just thoughtful — it’s strategic. Missteps, such as sending English-only documents in bilingual workplaces, create disconnects. But with the right insights — such as identifying respected, long-serving employees to act as cybersecurity ambassadors—organizations can speak more effectively to their teams.
There is no one-size-fits-all solution. Truly impactful security culture change must be tailored to each organization’s unique structure and needs.
Designing Campaigns That Resonate
Once companies understand their people, they can build better campaigns. That could include seemingly simple actions like translating policies or putting up informative posters. But the most successful campaigns go deeper.
Employees won’t always change their behavior just because they’re told to — just like knowing about healthy eating doesn’t guarantee better choices. That’s why effective cybersecurity campaigns need to create lasting engagement.
Organizations might consider hosting cybersecurity workshops as part of employee benefits or bringing in speakers to talk about keeping their families safe online. This approach reframes cybersecurity as a life skill, not just a workplace requirement.
User-friendly technologies — like easy-to-use multi-factor authentication or behavioral “nudges” — can also help make secure choices second nature.
Building the Right Team: The “Swiss Army Knife” Cyber Expert
Managing human risk calls for a new kind of cybersecurity professional—someone who combines technical expertise with people skills and cultural insight.
This expert needs to be comfortable with both data and people, using surveys, phishing tests, interviews, and observation to understand and influence employee behavior. Familiarity with behavior change frameworks, such as COM-B (Capability, Opportunity, Motivation–Behavior), enhances this capability.
Importantly, this individual should also serve as a relatable advocate for cybersecurity across the business—someone who can speak the language of marketing, HR, and frontline staff as well as IT.
Organizations should consider hiring from non-traditional backgrounds. A professional with a blend of cybersecurity understanding and experience in communication, employee engagement, or organizational behavior could be the catalyst for real change.
The Moment to Act Is Now
Changing behavior takes time. But the stakes are too high to delay. As technical defenses prove vulnerable to human error, businesses must evolve to meet threats with a more human-centered response.
Investing in understanding your workforce, tailoring your approach, and building empathetic, actionable campaigns isn’t just a best practice—it’s a necessity for modern retail cyber defense.
Richard Allen is a Cybersecurity Expert at PA Consulting. This article reflects his views and insights on the critical role of human behavior in modern cybersecurity strategies. Originally published 30 May 2025, Infosecurity Magazine
Stay informed and ahead of the curve — explore more industry insights and program opportunities at ProgramBusiness.com.