Cybersecurity’s culture problem: Why blame-driven security is making companies less safe
As cyber threats surge across New Zealand, a growing number of organisations are discovering that their biggest vulnerability isn’t a missing patch or outdated firewall – it’s fear.
According to Kristin Dean, chief people officer at cyber security company Arctic Wolf, a “cutthroat” cybersecurity culture is emerging in many workplaces, and it’s quietly undermining resilience at the exact moment cyber risk is peaking.
She noted that in New Zealand and Australia, breaches have jumped from 56% in 2024 to 78% in 2025.
Despite this, many leaders still put most of their faith in technical defences – and then look for an individual to blame when something goes wrong.
“When a breach hits, the stakes are high - regulatory scrutiny, customer fallout, financial impact. That urgency can push leaders toward punishing individuals rather than understanding what actually went wrong,” Dean said.
She warned that this instinctive “name-and-blame” response is not only misguided, it is actively dangerous.
“The problem is that this response creates fear, not resilience,” she said. “If people are worried they’ll be blamed for a mistake, they stop reporting things early. That silence can turn a small misstep into a major incident.”
“Cybersecurity “works best in a culture that’s open, supportive and focused on learning – not punishment. When people feel safe to speak up, organisations catch issues sooner and recover faster.”
Human risk: the new cybersecurity battleground
For years, organisations have poured money into tools, firewalls and monitoring systems. But the balance of power has shifted decisively into the human domain.
Technology can no longer be the sole defence for an organisation. Dean explained that the biggest variable in any security program is people.
Crucially, she rejected the thought that employees are simply careless or disengaged.
“It’s not that employees are careless – attackers have simply become incredibly good at exploiting natural human instincts. AI has made fraudulent messages more polished and personalised and it’s now becoming harder for anyone – even seasoned professionals – to distinguish what’s real from what’s not,” Dean said.
Threat actors understand this all too well. Manipulating an individual is often faster and more effective than trying to break through layers of technical controls.
Arctic Wolf’s 2025 Human Risk Behaviour Snapshot also reveals a worrying gap between perception and reality among IT leaders. Many are convinced their people are well equipped to spot phishing attempts – yet a notable number admit they’ve clicked on suspicious links themselves.
Overconfidence can be risky, warned Dean: “When people believe they’re ‘too savvy’ to be fooled, they tend to let their guards down. It’s exactly in those moments that attackers find their opening.”
From punishment to coaching
So how can organisations reduce the likelihood that employees will fall victim to attacks, without creating a culture of fear?
While human error can never be completely eliminated, its impact can be dramatically reduced with the right foundations.
“The basics matter most here,” said Dean. “That starts with enforcing Multi Factor Authentication (MFA) and access controls, but it also requires weaving security awareness into day-to-day work through short, relevant training and regular phishing simulations – not once a year, but regularly.”
Crucially, employees need to know what to look for and what to do when something feels wrong.
While mistakes are inevitable, if staff understand what a scam looks like, what to do when something doesn’t feel right, and who to notify is issues arise, confidence is allowed to grow.
A shared responsibility – starting at the top
One of the thorniest questions in cybersecurity is where the organisation’s responsibility ends and the employee’s begins. For Dean, the answer is simple:
“Cybersecurity is ultimately a shared responsibility,” she said. “Organisations are responsible for putting the right safeguards in place, communicating expectations clearly, and modelling good behaviour, especially as attackers increasingly target senior leaders.”
Employees, for their part, have an obligation to follow guidance and report anything suspicious. But organisations cannot offload the blame if they haven’t done the basics well.
This means boards and executives must see cyber not just as a technical problem, but as a people and culture issue. Leaders shape whether staff feel safe speaking up, how quickly incidents are surfaced, and whether learning is encouraged or discouraged after an error.
Continuous education – not annual box-ticking
With threats evolving rapidly and AI supercharging attackers’ capabilities, Dean noted that yearly compliance videos or one-off training sessions are no longer sufficient.
“Cyber threats evolve quickly, and what protected an organisation last year may not be enough today. The pace of change means security awareness can’t be a once-a-year exercise,” Dean explained.
“Too many programs become ineffective because they rely on a single compliance video that people forget the moment it’s finished. Training needs to be continuous, relevant and bite-sized, reflecting the kinds of threats employees actually encounter in their daily work.”
Beyond training content, the environment in which people learn and report issues is just as important. The rise of AI makes this even more critical.
“As new technologies like AI introduce risks that many employees don’t fully understand, psychological safety becomes especially important,” said Dean.
“Without clear communication, people either hesitate to ask for help or make assumptions that put the organisation at risk.”
Measuring what matters
Dean also stressed that visibility and measurement are essential if organisations want to turn training from a tick-box exercise into a genuine risk-reduction strategy.
“You can’t improve what you don’t measure,” she said.
“If organisations aren’t tracking how people engage with training, how they respond to simulated threats, or where confusion commonly arises, they have no way of knowing whether their efforts are working.”
Ultimately, the organisations that will withstand the next wave of cyber threats are those that put people at the centre of their security strategies – not as potential scapegoats, but as empowered partners.
In a region where breaches are rising and attackers are only getting smarter, the message is clear: cybersecurity is no longer just about stronger systems – it’s about stronger cultures.
