Keep reading
This is some text inside of a div block
Cybercrime and efforts to stop it have reached a critical mass. If it feels like multi-factor authentication, more frequent identity verification, and constant messaging around staying vigilant and reporting are on the rise, you’re not imagining it. Cybercrime and the damage it causes are growing at an astounding rate. Phishing attempts alone are relentless (how many “Potential Spam” calls have you gotten this week?).
Technical defenses do a lot. But with thousands of attacks a day on any given company, the 1%, or even 0.01%, that don’t get caught are a scary prospect. With 80% or more of breaches involving a preventable human mistake, cybersecurity teams are increasingly looking to engagement, awareness-raising, and culture building. And with good reason.
As an agency with unique expertise in creating and implementing engaging cybersecurity campaigns that get noticed, shift behavior, and build a culture of cybersecurity, here are a few of the trends we’re seeing at conferences and in practice.
Training fatigue is real. Every corporate environment has a parade of compliance trainings employees are required to complete. After a while, they all look and feel the same, and the information often goes in one ear and out the other. Creative cybersecurity specialists and communications professionals have been innovating ways to boost engagement and fortify learning.
A few years ago, the positive results of cybersecurity escape rooms were being reported at human risk cybersecurity conferences. These experiences put workers in hypothetical cybersecurity situations with a series of puzzles and challenges to escape before time runs out. Interactive and team-driven, cybersecurity escape rooms use problem-based pedagogy, which is much more effective for conveying relevance and ensuring retention.
Gamification of digital campaigns takes a similar approach. Mirroring tactics from gamified apps across a broad spectrum—like Strava, Duolingo, Mint, and others—gamifying cybersecurity challenges incorporates fun, sometimes competitive, often story-driven challenges, goals, and rewards. Using principles from behavioral psychology and frameworks like the one in Hooked by Nir Eyal, gamification builds in a reward-driven feedback loop and automated in-the-path technology to build a habit of participation and grow a culture of cybersecurity. Gamified learning checks the boxes for effective behavior change outlined in modern classic Nudge: make the behavior you want to encourage visible, make it easy, and, if at all possible, make it fun. Check out a great gamified campaign we created for a client here.
Marketers and business leaders know the power of brand. But core cybersecurity teams have historically focused on the more clearly pragmatic matters of engineering safeguards and defenses against attacks. When the human element is so critical, though, recruiting non-specialists into the effort is crucial.
Marketers use metrics like brand health to measure the power of a brand. High scores are closely linked with higher loyalty, more confidence in what a brand offers and has to say, and a greater likelihood of encouraging others to consume the brand. In brand lingo, the most fervently engaged customers of a brand are called “brand champions.” Brands with a high proportion of brand champions can charge higher prices, have more return customers, and generally enjoy greater esteem.
Enter cybersecurity champions. By harnessing the power of consistent, on-brand, strategically deployed marketing-style campaigns, cybersecurity teams are building their own brand-within-a-brand and cultivating employees in much the same way that companies nurture customers. Raising visibility, having a clear point of view, using consistent communication visuals, and producing high-quality creative content transform employees glazed over from training fatigue into cybersecurity champions more eager to engage with cybersecurity comms and encourage others to do so. These teams use brand tactics to deliver a clearer, more effective core of skills and knowledge by staying on message and adhering to brand verbal-visual guidelines.
As awareness has grown that technology solutions will never close all the digital security gaps (after all, cybercriminals and cybercrimes are evolving as quickly as the defenses against them), attention has focused more and more on a culture of cybersecurity. It’s easy to assume technology will keep us safe. When we take seriously the fact that breaches are usually the result of a human lapse, not a technological weakness, it becomes clear that we need to address humans consistently and powerfully.
Addressing cybersecurity as an element of culture leverages well-vetted behavioral psychology principles. The most effective, most durable changes in behavior happen when people start to identify as someone who does x, y, or z—not as someone who’s being compelled by an outside force to do so. Culture also applies social pressure to those who are outside the norm. For cybersecurity, this means laggards and those resistant to adopting cybersecure habits will increasingly feel the pressure to get on board as the culture presumes the norm of cybersecurity.
For cybersecurity habits to really stick and shore up the gaps technical defenses simply can’t cover, a widespread, celebrated culture of cybersecurity is critical. Practitioners on the leading edge are catching on and deploying methods to do just that.
Cybersecurity literacy and attitudes are widely variable. Whether based on geography and demographics, job role (office/knowledge worker? IoT in the field?), digital fluency, or any other of the important factors that contribute to knowledge and appropriate cybersecurity response, one size clearly doesn’t fit all.
Cybersecurity training has usually been treated as a one-size-fits-all exception to employees’ day-to-day workflow, while workers are expected to execute good cybersecurity every day. A new emphasis on meeting employees in the platforms and tools they already use—more frequently, but with less demand on time or attention per instance—defines a more effective update to increasingly outdated annual training models. Consistent, routine practice with immediate, high-quality feedback and rewards is a more promising way to turn employees into the frontline of cybersecurity.
Further, while staying true to a cybersecurity brand, the importance of connecting with employees—no matter what level of cybersecurity proficiency they have or what sort of digital connection is normally part of their workday—has grown. The marketing principles of audience segmentation, content strategy, and campaigning through multiple channels are gaining traction as what’s necessary to promote true cybersecurity vigilance in every corner of an organization.
“Resilience” has become a key focal point of cybersecurity. This inconspicuous term points to an unnerving reality: it’s no longer a question of whether a breach will occur, but rather when—and how much havoc it will cause. Resilience refers to strategies to stop breaches once they occur and control the damage. Ninety percent of organizations reported at least one cyber incident in the last year, and 76% of CISOs believe their organization is at high risk of a significant cybersecurity incident in the next twelve months.
Because breaches are so costly (over $10 million on average for U.S. companies in 2025!), any and every force that can be mobilized to stop them is almost certainly worth it. Engaging campaigns, behavioral change, and targeting culture come with costs. But those costs pale in comparison to the likely loss from a breach. While technical defenses will continue to chase cybercriminal trends and do the heaviest lift of fortifying the cyber ramparts, the brass ring is an all-hands-on-deck crew of cybersecurity champions ready to implement cybersecurity best practices all day, every day—at home and at work. Creative, marketing-style campaigning and evidence-based approaches to behavior change are the key to reinforcing the human element. The field of cybersecurity is taking notice—and taking action.
