“We make soup and soap. No one is after us…”
That was the received wisdom inside one global pharmaceutical and retail company before the organisation undertook a fundamental shift in how it viewed – and lived – cyber security.
Go deeper with GlobalData
Discover B2B Marketing That Performs
Combine business intelligence and editorial excellence to reach engaged professionals across 36 leading media platforms.
Like many in the sector, the company had systems in place to meet regulatory requirements. It could point to formal training, annual refreshers, and the usual certificates. But leadership recognised that real resilience meant more than ticking boxes. It required reshaping behaviours, language, and assumptions around risk – starting with the people most likely to be targeted – employees.
Here, Alexei Hnatiw of Solvd Together, examines the importance of recognising the psychology of risk, and how conversations helped this organisation confront the idea that “it won’t happen to us.”
Today, cyber threats don’t discriminate by sector or size. From JLR to the Co-op and M&S, recent attacks have shown that even the most well-resourced organisations are vulnerable when secure behaviour isn’t embedded at a cultural level.
It impacts the bottom line, people, a company’s brand values and reputation, and it’s often irreversible. According to the Cyber Monitoring Center (CMC), the cost to the two high profile, high street retailers could reach £440 million, or if you prefer, 29,333,333 M&S ‘Gastropub Dine In’ meals for two.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataThe retail sector is particularly prone to risk with large, dispersed workforces, high turnover, a heavy reliance on suppliers and seasonal peaks that bring in new, sometimes less-trained staff. Add to that a constant flow of payments, loyalty card transactions, and customer data and there’s a lot to lose – or gain if you’re an ill-intentioned hacker.
To meet regulatory requirements, most organisations deliver mandatory training. And that’s where the key issue lies. The inherent mindset for many is that meeting regulations is the only driving factor in the delivery of training. It’s not that the C-suite doesn’t care, or that employees are incapable, it’s just that no one has ever made it feel real, relevant, or personal.
Meeting regulation is necessary, but in our experience, it’s rarely sufficient. In many cases, awareness programmes follow a familiar pattern – slide decks, multiple choice quizzes, and the awarding of a certificate. Employees sit through them, and then go back to their day jobs.
The problem is that real-world threats rarely mirror a sterile classroom scenario. They arrive as a spoofed supplier email at 4:59pm, or a WhatsApp message that looks like it’s from a store manager, asking for urgent login details.
In those moments, the psychology of risk is critical. Do employees perceive the message as a threat? Do they feel confident enough to challenge it? Do they know how to report it – or even feel empowered to?
If the answer to those questions is “no,” then the best technical systems in the world won’t stop an incident.
The psychology of risk
Cyber security has traditionally been framed as a technical issue, but at its heart, it’s a human one. Most breaches begin with human behaviour – someone clicking a link, sharing credentials, or failing to report something unusual.
Following a data breach at HMRC in June of this year (2025), where more than 100,000 taxpayer accounts were compromised, professor Oli Buckley of Loughborough University said the attacks “weren’t purely technical failures, they started with people, processes, and misplaced trust.”
This tells us that people often underestimate threats that feel abstract or unfamiliar. In retail, staff may feel that cyber crime happens to banks and governments and not to people who sell groceries or clothing. Back to the soup and soap again.
This mindset is dangerous, as it breeds complacency and makes people more susceptible to manipulation – or even bribery. So that mindset needs changing.
A successful cyber security culture needs to be framed through a human lens. The focus shouldn’t just be on the malware or ransomware itself, but on the human entry points that allow these threats in. By recognising that people are naturally curious, organisations can use that curiosity to spark genuine, organic conversations around cyber security.
And when those conversations are grounded in real-world consequences – such as data breaches, regulatory fines, and reputational damage – employees begin to truly understand the cost of not paying attention.
Case Study: ‘Cards Against Cyber Crime’
When one company asked us to design a cyber awareness programme for high-risk groups, we didn’t just deliver more slides. We started by understanding how employees perceived threats, what assumptions they held, and what behaviours needed to shift. Crucially, we started conversations.
As part of our ‘Define and Discovery’ phase, we engaged with global teams across supply chain, factory, privileged users, legal, marketing, and the CISO function. By mapping their pain points and pinpointing where risks were most likely to emerge, we were able to gain a clear picture of the specific mindsets and behaviours shaping their approach to cyber security.
The solution was Cards Against Cyber Crime, a card game that presented real-world scenarios in a format that encouraged debate and problem-solving.
Instead of being lectured, employees played through situations such as an urgent supplier request that looks suspicious, a colleague unsure about how to report a potential phishing attempt, and a manager pressuring for quick action without proper checks.
By playing the game in groups, participants challenged each other, shared personal experiences, and rehearsed how they would act.
The impact was measurable:
+9% boost in confidence identifying threats
+8% increase in understanding reporting processes
+6% uplift in ability to advise peers
These were significant shifts, achieved across geographies and business units where cyber security was not seen as part of the day job. Or, as one employee put it: “We make soup and soap. No one is after us…” That perception had changed by the end of the programme.
“We wanted to listen to our audience to experiment with something that was going to have a real impact, not just produce more training.” – cyber culture and human risk senior manager, global retail client.
The success of the programme lay in its design principles:
- Contextual relevance: Scenarios were based on real threats employees might encounter, not abstract “what ifs.”
- Collaborative learning: Group play created accountability and made cyber risk a social conversation.
- Emotional engagement: Turning training into a game made it memorable and enjoyable, rather than something to “get through.”
- Habit formation: Employees practised small behaviours, such as double-checking sender addresses, to build long-term resilience.
So what can other retailers take from this?
The key is to challenge the ‘not us’ mindset, because cyber criminals don’t care what you sell – if you hold data, money, or reputation, you’re a target. That means moving beyond compliance. Regulators may be satisfied with evidence of training, but customers expect evidence of resilience.
The most effective way to achieve this is by using psychology to your advantage – understanding how employees perceive risk and designing experiences that shift those perceptions. Training should be practical and social, using real-world scenarios and collaborative learning to embed behaviours more effectively than passive modules ever could.
Above all, it should be linked directly to brand trust. In retail, reputation is everything, and employees need to see that by protecting against cyber threats, they are ultimately protecting both customers and the brand.
About the Author: Alexei Hnatiwis a Senior Consultant at Solvd Together, a learning and performance innovation consultancy.
