Security-Aware Teams: How to Lead One When You’re Not the IT Expert

23 June 2026

Security-Aware Teams: How to Lead One When You’re Not the IT Expert

The Gap That Catches Managers Out

You don’t run the IT department. You’re not choosing the firewall or writing the security policy. But when someone on your team approves a fake invoice or hands their login credentials to a convincing email, you’re the one dealing with what comes next.

That gap — between where technical security responsibility sits and where the real risk actually lives — is where a lot of managers get caught out. Most security advice is written for security professionals, full of talk about threat surfaces and risk frameworks that have little to do with running a team day to day. The UK Government’s 2025/2026 Cyber Security Breaches Survey found that 43% of UK businesses reported a cyber security breach in the last 12 months. Phishing was involved in 85% of those incidents — meaning the front door for most attacks is a person, not a technical vulnerability. That makes the culture your team operates in as important as any piece of software protecting it.

What follows covers the part that sits with you: the everyday habits and signals that determine whether your people treat security as their job or someone else’s problem.

Your Team Watches What You Do, Not What the Policy Says

People copy the person they report to. If you skim past the security training, joke about reusing the same password, or wave through an “urgent” request without checking it, your team reads that as permission to do the same. The reverse is equally true. When you take thirty seconds to report a suspicious email to IT and mention it briefly in a team meeting, you’ve shown everyone that noticing and flagging things is normal, expected, and not a waste of time.

The cheapest security tool you have

This visible, consistent behaviour costs nothing but attention. You don’t need to understand how multi-factor authentication works under the hood — you just need it switched on and be willing to say so. Turn on an authenticator app for your own accounts, use a password manager, and let people see you doing it. A manager who visibly takes two extra steps gives everyone else cover to slow down too. That cover matters. Only 40% of UK businesses currently use two-factor authentication — which means a leaked password is still enough to gain access to most accounts. A team where the manager has normalised this basic protection closes that gap quickly.

The Knowledge Hub on leadership and workplace culture covers this kind of leading-by-example dynamic in depth. The security context makes it unusually concrete: your visible behaviour is the most effective security policy your team will ever encounter.

The Quiet Threats That Cause the Most Damage

The attacks that hurt businesses rarely look like the movies. There’s no dramatic hacker bent over a glowing screen. There’s an email that looks like it came from a supplier, carrying a slightly altered bank account number on an otherwise normal invoice. Or a message that appears to be from you, sent to someone junior, asking them to buy a few hundred pounds of gift cards before a meeting because you’re “stuck on a call.”

Why phishing keeps working

Phishing is still the front door for most attacks, and the messages have become cleaner and harder to spot — particularly as AI tools make convincing impersonation easier to produce at scale. Ransomware, which locks files until a payment is made, usually starts with one person clicking one attachment. None of this requires your team to be careless. It requires them to be busy, which they always are. Someone moving fast through a full inbox is far more likely to miss a small wrong detail than someone who has been given permission to pause.

The M&S ransomware attack of April 2025 is a useful reminder of what’s at stake at scale — the incident was estimated to have cost the firm £300 million, causing significant operational disruption across its website, ordering systems, and payment infrastructure. Most incidents are smaller in scale. They’re no less painful to the businesses they hit.

Money Requests Deserve a Different Reflex

Any message involving moving money or sharing financial information should trigger a different reaction than a normal email. This is where criminals concentrate their best effort, because it pays the most. Fake invoices, redirected payments, and impersonated executives all work on the same principle: manufacture urgency so the recipient acts before they think.

The reason this matters so much for anyone handling financial data is that the cyber risks built around financial and accounting data tend to be more targeted and better disguised than the generic attacks most people imagine. An attacker who has studied your supplier names and payment cycles can produce a request that looks completely routine.

The two-minute rule that stops expensive mistakes

Give your team one rule that overrides urgency: any new or changed payment detail gets confirmed through a second channel before anyone acts. If an email requests a transfer to a new account, someone picks up the phone and calls a known number from your own records — not the one printed in the email or the signature attached to it. It adds two minutes to the process. It has stopped genuinely expensive mistakes. Make it clear that nobody will ever be in trouble for slowing a payment down to check it. The embarrassment of a brief delay is nothing compared to the cost of an emptied account.

The Access Points That Slip Through the Cracks

Most teams have access vulnerabilities that nobody is actively managing. The shared account several people use with one password between them. The team member checking email on their phone over café Wi-Fi. The contractor who still has access to a project folder three months after the work finished. None of these feel urgent until one of them turns out to be the way someone gets in.

Two questions worth asking regularly

You don’t need a full audit to make progress. Ask two questions every so often: who has access to this, and do they still need it? When someone leaves a project or the organisation, removing their access should be as routine as collecting their door pass. Push for individual accounts wherever the tool allows it — shared logins make it impossible to see who did what, which matters both for security and for accountability when something goes wrong. A plain reminder that financial portals shouldn’t be opened on public Wi-Fi will land far better coming from you in a team message than buried in a policy document nobody reads.

Make It Safe to Admit a Mistake

Here is what quietly sinks most security efforts: people hide their mistakes. Someone clicks a bad link, realises a second later, and says nothing because they’re embarrassed or worried about being blamed. That silence is far more dangerous than the click itself. A threat reported within minutes can often be contained. One that surfaces three days later usually can’t.

Psychological safety is a security tool

As the manager, you determine whether reporting feels safe. If the first response after a mistake is a telling-off, you’ve guaranteed the next person stays quiet. Treat an early report as a good outcome, even when the slip behind it wasn’t. Thank the person who flags it. This is where security and wellbeing overlap more than people expect. A team that trusts it won’t be punished for honesty protects you — because its members tell you things while you can still do something about them. Good team communication and workplace wellbeing practice supports exactly this kind of honest, open environment.

Small and Regular Beats One Big Training Day

The annual security session — the hour everyone sits through once a year and forgets by lunch — does very little. Habits don’t form that way. Small and frequent works better: a two-minute mention in a weekly team meeting, a quick heads-up when a new scam is circulating, one reminder about checking sender addresses and a different one a fortnight later about verifying payments.

You’re not trying to turn your team into security analysts. You’re keeping a few simple behaviours fresh enough that people actually use them when they’re tired and rushing. Pick one habit at a time and let it settle before adding the next. Switching on multi-factor authentication across your tools, for instance, removes a whole category of risk on its own — a leaked password alone is no longer enough to get in. Spread that kind of change out so it never feels like a burden, and it tends to stick.

Where to Start

Most of what keeps a team secure comes down to the tone set day to day. People follow what their manager treats as normal. If checking a strange request, switching on extra protection, and owning up to a slip are things they’ve seen you do without fuss, they’ll do them too.

Pick one change this week. Turn on multi-factor authentication where you can, or introduce the second-channel rule for payments, and build from there once it feels routine. The technical side can stay with the people who own it. The culture is yours to set — and it turns out to be the most important security control of all.

Further Reading

• GOV.UK: Cyber Security Breaches Survey 2025/2026 — The official annual UK Government survey covering the prevalence, nature, and cost of cyber incidents across UK businesses and charities. Essential reading for any manager making the case for security investment. Read the survey
• NCSC: Cyber Security: Small Business Guide — The National Cyber Security Centre’s practical, non-technical guide to the most important protective steps for small and medium-sized organisations. Useful to share with your team. Read the guide
• Heimdal Security: UK Cybersecurity Statistics for 2026 — A comprehensive, well-sourced roundup of current UK cybercrime data, including sector-specific trends and the most common attack types affecting businesses. Read the article

Header Image by Kris from Pixabay

Disclaimer

The content on this site is provided for general information and educational purposes only. It reflects the author’s views and experience and is not intended as professional IT security, legal, or compliance advice. Cyber threats evolve rapidly, and readers should seek appropriate professional guidance and keep up to date with current NCSC and government guidance. The Happy Manager and Apex Leadership Ltd accept no liability for actions taken in reliance on the content of this article.

References

1. Department for Science, Innovation and Technology (2026). Cyber Security Breaches Survey 2025/2026. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-20252026/cyber-security-breaches-survey-20252026
2. Heimdal Security (2025). UK Cybersecurity Statistics for 2026. https://heimdalsecurity.com/blog/uk-cybersecurity-statistics/
3. Privacy Engine (2025). UK Cybersecurity Statistics 2025: UK Trends, Facts and Board Actions. https://www.privacyengine.io/blog/uk-cybersecurity-statistics-2025/
4. Assure Technical (2026). Cyber Security Breaches Survey 2025/2026: Closing the Visibility Gap. https://assuretechnical.com/cyber-security-breaches-survey-2025-2026-analysis/
5. Cyber News Centre (2026). 1st May 2026 Cyber Update: UK Survey Shows Phishing Still Owns the Breach Economy. https://www.cybernewscentre.com/1st-may-2026-cyber-update-uk-survey-phishing-breach-economy/

Leadership Resources

For more leadership resources look at our great-value guides. These include some excellent tools to help your personal development plan. The best-value approach is to buy our Leadership bundle, available from the store.

We’ve bundled together these five e-guides at half the normal price! Read the guides in this order, and use the tools in each, and you’ll be well on your way to achieving your personal development plan. (6 guides, 167 pages, 27 tools and 22 insights, for half price!)

• Leadership Essentials
• Defining Leadership
• Leading Insights
• Leading with Style and Focus
• Transformational Change
• Making Change Personal

>> Return to the Leadership Knowledge Hub