Security · IT Support

Your People: The Biggest Risk — And the Best Defence

6 July 2026

Your People: The Biggest Risk — And the Best Defence

Firewalls don't get tricked into approving a fraudulent payment. People do. Every serious study of how breaches actually begin points to the same starting point far more often than any technical vulnerability: a person, under pressure, making a fast decision that turns out to be the wrong one.

This isn't a reason to blame staff. It's a reason to build a culture and a training approach that makes the right decision the easy one, even under pressure.

This article relates to the User Awareness & Culture domain of the Technology Resilience Score. It looks at whether your firm's people are prepared for the tactics actually used against firms like yours.

Why awareness and culture are different for financial services firms

Financial services firms are a favourite target for social engineering precisely because urgency and authority are baked into how the business runs. A request to move funds quickly, or to share a document ahead of a deal deadline, doesn't look out of place — which is exactly what attackers rely on.

  • Fraudulent payment requests are often disguised as routine, time-sensitive instructions
  • Deal pressure and client urgency create exactly the conditions attackers exploit
  • Smaller firms often lack a formal, ongoing training programme, relying instead on general awareness
  • A culture where people are afraid to question an unusual request is a bigger risk than any single piece of malware

The best technical controls in the world won't stop someone being convinced a request is genuine.

Consumer Duty, culture and the outcomes clients actually get

A firm's culture around reporting and caution directly affects the outcomes its clients experience. If staff are reluctant to flag a suspicious request for fear of looking foolish or slowing down a deal, that hesitation can be the difference between a caught fraud attempt and a client losing money — a direct Consumer Duty concern, not just an internal one. Building a culture where reporting is encouraged and normalised is as much a client protection measure as any technical control.

Awareness training that happens once a year and is then forgotten does very little against tactics that evolve constantly. The key question becomes: "If someone in our firm received a convincing, urgent, slightly-off request tomorrow, would they know exactly what to do, and would they feel safe raising it?"

Is your firm's technology environment resilient?

Find out whether your team is genuinely prepared to spot and report the tactics used against firms like yours.

Get your Technology Resilience Score

The problem with one-off training

An annual training session ticks a box. It does very little to change behaviour when a real, well-crafted attempt lands in someone's inbox six months later.

  • Training delivered once a year with no reinforcement in between
  • No simulated phishing or social engineering exercises to test real-world readiness
  • No clear, easy process for reporting something that looks suspicious
  • A culture where mistakes are punished rather than treated as a learning opportunity

Awareness that isn't reinforced fades faster than most firms realise.

What weak user awareness and culture looks like in a financial services firm

These patterns recur in firms that haven't invested in an ongoing awareness programme.

  • No regular phishing simulations or measurement of how staff actually respond
  • Training content generic and not tailored to the tactics used against financial firms specifically
  • No clear channel for staff to report something suspicious without friction
  • New starters given system access before any security induction
  • Senior staff exempted from training on the assumption they don't need it
  • No visibility into whether training is actually changing behaviour over time

Each gap leaves the door open a little wider for a well-crafted attempt to succeed.

What strong looks like

A firm with strong awareness and culture treats training as an ongoing programme, not an annual event. Staff are tested regularly with realistic simulations, and the results genuinely inform what gets covered next. Reporting a suspicious email or request is simple, fast and actively encouraged, with no stigma attached to raising a false alarm.

Crucially, this culture extends to senior staff and partners, who are often the most targeted precisely because of the authority they carry.

How this TRS domain helps financial services firms improve

The User Awareness & Culture domain of the Technology Resilience Score looks at how well staff are trained to recognise and respond to threats, and whether the culture around reporting genuinely supports them in doing so.

  • Assesses whether training is ongoing and tailored to sector-specific tactics
  • Reviews how staff actually perform in realistic phishing and social engineering tests
  • Checks how easy and well-used the reporting process is in practice
  • Identifies gaps in onboarding and senior staff coverage

The result is a score out of 5, giving your firm a clear baseline and a structured improvement path towards a genuinely security-aware culture.

Turning your biggest risk into your strongest defence

People will always be a target. The difference between a firm that gets caught out and one that doesn't is usually not technical sophistication — it's whether staff have been prepared, tested and given a safe way to raise concerns. Little Big Tech already supports a high-profile venture capital firm in London where building exactly this kind of reporting culture has become a core part of the ongoing security programme.

The Technology Resilience Score gives ambitious financial services firms a benchmark across 10 domains, including User Awareness & Culture, so the human side of security gets the same rigour as the technical side.

Related reading

Get your Technology Resilience Score

We use cookies to understand how visitors use our site and to improve your experience. You can accept all cookies or decline non-essential ones. Privacy policy.