In the UK, children are learning to code before they learn how to stay safe online. They can write programs for computer games and even design basic apps. But ask them about phishing or password security, and most won’t have a clue.
That’s not their fault. It’s ours. We’ve done a decent job getting digital skills into schools – but we’ve left out a crucial part: cybersecurity. We’ve taught them how to build, but not how to stay safe.
And it doesn’t stop there. The same gap runs right through the life-long education system. Entry-level staff, managers, governors, board members – even investors. Cyber still feels like someone else’s job. Until something goes wrong.
Look at what happened on the high street earlier this year. M&S, the Co-op, Harrods – all hit by cyberattacks. It wasn’t just about systems going down. It was customers being left in the dark, orders vanishing and trust unravelling in the process. And while those big brands might bounce back, others don’t have that kind of buffer. One breach could mean lost data, locked systems, services disrupted – and reputations in tatters.
So, we need to start early. If coding is on the curriculum, then cybersecurity should be too. Not as a scary subject, but simple, practical tools to stay safe online. How to spot a dodgy link. What makes a strong password. Why it’s a bad idea to reuse logins across accounts and websites. Get it into lessons and make it part of the conversation.
After all, we don’t just drop our children off in empty classrooms and expect them to learn. They’re taught, mentored, encouraged to take part and learn by doing. Cyber awareness skills should be no different.
Then we carry it through. Training for staff can’t just be a one-off tick-box exercise. People forget. Systems change. Threats evolve. Short, regular refreshers – based on real-life situations – are far more effective than an annual slideshow.
And at the top, we need boards and senior leaders to stop waiting for a crisis. Cyber shouldn’t only come up when something breaks. It should be part of every strategy conversation. Do we have a plan if we’re hit by ransomware? When did we last test our backups? Who actually has access to what?
This stuff matters to investors too. Because trust isn’t just about good results or regulator ratings – it’s about whether a business can protect what matters most: its people and their data.
The good news is you don’t need to be a cyber expert to make a difference. Most attacks happen because the basics get missed. A forgotten update. An obvious password. One careless click. That means prevention is within reach – if we treat it as a shared responsibility.
This isn’t about spreading fear. It’s about being ready. A bit of awareness, a few good habits, and a culture where people feel safe to speak up when something seems off.
Because resilience doesn’t start in the server room. It starts in the classroom, continues in the staffroom, and extends to the boardroom. And if we want to stay one step ahead, we need to stop waiting for something to go wrong before we take cyber security seriously.
