It's late in the afternoon when your receptionist notices something odd.
There was an email in her inbox that (at a glance) looked legitimate.
But it’s the end of the day and she’s in a rush to leave, so she doesn’t have time to investigate when her computer starts acting strangely after clicking on it.
She logs off for the night.
By morning, ransomware has silently and maliciously spread across all three of your Perth offices.
Two weeks offline. Customers unable to be served. Revenue bleeding. Emergency IT consultants charging crisis rates. And the receptionist?
She's been admitted to hospital, suffering from the mental anguish of what happened.
The saddest truth about this story is that it’s not hyperbole or ‘good cyber storytelling’. This is the real cost of cyber crime.
Because it’s a real incident that occurred to a real client of Catriona Forde, a Perth-based cyber security consultant whose PhD research focuses on human factors in cyber security.
"The human element is always forgotten," says Cait, "We focus on the technology, the systems, the controls. But we forget about the person who clicked that email and what happens to them afterward."
The language that breaks culture
For years, the cyber security industry has relied on a simple narrative: people are the weakest link.
The problem sits between the desk and the chair.
Users are careless.
Employees are the vulnerability.
This blame-driven framing, Cait argues, is not just unhelpful. It's actively counterproductive.
"We use this very negative language, and then we wonder why people don't engage with security training," she says. "E-learning modules and simulated phishing tests have been the default for years. But they're not working."
Caitriona’s journey into this revelation came through first hand experience - working in IT managed services, she watched clients get hit repeatedly with ransomware and cyber attacks despite having training programs in place. The a-ha moment came watching that overwrought receptionist admitted to hospital for her part in a cyber attack. It was through this incident, she saw firsthand how blame and shame destroyed not just security culture, but people.
"I fell out of love with IT and realised cyber was very different," she explains. "There was this huge human side that was being completely ignored."
After completing her Masters in cyber security, Caitriona spent two and a half years at Western Power through Cyber CX, working on awareness programs. The problem became clear: lots of facilitated training, lots of gamification, but fundamentally the same approach that wasn't moving the needle.
What's in it for me?
For Caitriona, the breakthrough came from asking a completely different question that tunes into the worlds most listened to radio station: WIIFM - also known as ‘what’s in it for me?’
"When I tell someone 'I want to educate you on how to keep the company safe,' it doesn't resonate," Caitriona says.
"But when I say 'I want to educate you on how to keep you and your family safe,' suddenly it becomes relevant."
This is the reframe. Cyber safety not as a corporate obligation - but as a life skill.
Consider learning to drive. No one takes driving lessons to benefit their employer. They learn because they want the independence, the capability, the safety of knowing how to operate a vehicle. But once you have that skill, you often end up using your car for work.
"You need to learn this skill to safely exist in a digital world," Caitriona explains.
"It's about giving back to your people with education on an essential life skill that keeps them safe. And when they're safe, it comes back to the business."
This approach underpins her work across two distinct worlds. The corporate arm of her business helps organisations design awareness programs that actually shift culture, often through targeted, role-based training.
The community arm of WA's cyber innovation initiative CyberWest Hub runs ‘Scams and Scones’ sessions, presented by Caitriona for retirees and education programs for Men's Sheds. At one session, Caitriona recalls a 90-year-old woman who shared that she'd been scammed three times - noting that the same principles that protect her apply in the workplace.
The AI escalation
If building cyber culture was challenging before, artificial intelligence has made it exponentially harder.
"AI has taken it to the next level," she says. "Is it real or is it not? It's becoming harder and harder to determine."
Cyber criminals are no longer just hacking into organisations. They're hacking the people in the organisations.
Voice cloning technology can replicate your CEO's voice.
Deepfakes can create convincing video calls.
Fake IDs can pass verification processes.
But there's another AI risk that most businesses haven't addressed: their own employees' use of free AI tools.
"Many people don't know that free AI tools are open to the public," Caitriona warns. "They're uploading bank statements and asking for them to be summarised. They're uploading company documents without thinking about where that data goes."
Every business using AI needs policies around acceptable use, not just for productivity but for data protection. Without governance, employees will continue making decisions that expose sensitive information.
What businesses should actually do
Caitriona is conscious that moving from awareness theater to genuine cyber culture requires specific, practical changes. Her advice is to, at a minimum, consider these 5 practical steps as part of your cyber security culture and training.
Educate on the why. Don't just tell people to update passwords and devices. Explain how cyber criminals are actually using leaked passwords and stolen data. When people understand the mechanism, they make better decisions.
Practice the pause. One of the most effective security controls costs nothing: teaching people to listen to their gut. If something feels off, pause. Walk away. Ask someone else.
"Urgency is a common tactic," Caitriona explains. "They create pressure so you don't have time to stop and think. But nothing is truly urgent unless it's life and death. You can pause and come back to it."
Tell your story. If someone in your organisation gets scammed or clicks a malicious link, don't let them sit in silence. Remove the shame and normalise what happened.
"Cyber criminals, this is their full-time job," she says. "They're professionals. They're trying to catch you. When we don't talk about it, we let the shame win and we don't learn from it."
Verify everything. In an age of deepfakes and voice cloning, trust but verify isn't paranoid - it's prudent. Double-check through a different channel before acting on urgent requests.
Be careful with AI. Don't believe everything you see online. And don't upload sensitive data to free AI tools without understanding the privacy implications.
The return on investment
When Caitriona works with organisations on culture change, the question inevitably comes up: what's the ROI on this?
The answer isn't found in compliance checkboxes or the number of employees who complete training modules. It's found in behaviour change. In reduced incidents. In employees who feel empowered rather than blamed.
"When you give people an essential life skill, they engage differently," she says. "They stop seeing security as something that's being done to them and start seeing it as something that protects them."
This is the shift from security as overhead to security as value. From compliance culture to resilience culture.
The businesses that will survive the next decade of cyber threats aren't the ones with the most sophisticated technology. They're the ones where employees at every level understand that cyber safety is their responsibility because it protects them, their families and their colleagues.
"Cyber criminals work together," Caitriona notes. "But we as businesses work in silos. That has to change. And it starts with how we talk about and train our people."
Your people are not the weakest link. Given the right education, context and culture - they're your strongest defence.
