Insights
June 2026 | Lee Casey
Cyber Essentials has traditionally been viewed as a technical framework focused on controls such as secure configuration, access management, patching, and authentication. However, recent changes to the scheme suggest a broader shift. Increasingly, these updates reflect not just technical requirements, but also the behavioural side of cyber security.
Several of the most notable changes highlight this direction. Stronger expectations around MFA, faster patching timelines, and greater visibility of cloud services all point to the same underlying issue: many cyber risks arise not from a lack of tools, but from how people use them in reality.
This reflects a growing recognition that security failures are often driven by predictable behavioural patterns. Password reuse, delayed updates, and untracked use of cloud applications are rarely technical oversights alone; they are typically the result of prioritisation, convenience, and the pressures of day-to-day work.
In response, Cyber Essentials is gradually shifting from a purely control-based standard to one that implicitly accounts for how organisations actually operate. It assumes less idealised behaviour and more realistic working conditions, where decisions are made under time pressure and security is one of many competing demands.
Importantly, this does not reduce the value of technical controls. Instead, it reinforces the need to ensure those controls are usable, adopted, and embedded into everyday workflows. A security measure only reduces risk if people consistently apply it in practice.
Ultimately, the direction of Cyber Essentials reflects a wider truth in cyber security: resilience is not defined solely by the controls an organisation implements, but by the behaviours that determine whether those controls are effective when it matters most. This is increasingly where behavioural approaches to cyber security, such as continuous, context-driven cyber briefings delivered by Sentra, become important in supporting day-to-day decision-making.
May 2026 | Lee Casey
It is clear that cyber security is one of the most significant risks facing modern organisations. Attacks continue to increase in both frequency and sophistication, with the financial, operational, and reputational impact of a single incident often extending far beyond the initial breach. Despite advances in tooling and automation, the National Cyber Security Show reinforced a consistent message that positively influencing behaviour remains a key priority for businesses of all sizes and sectors.
Three key themes emerged, the first of which was the need for vendors to clearly demonstrate the value of their offerings. In a panel on how security decisions are actually made by CISOs and security professionals, it was argued that relevance, timing, and credibility are far more important than volume, cold calling, or poorly researched LinkedIn messages. In making this point, Liz Murray of SASIG highlighted that in an AI-heavy landscape, in-person interaction and trusted relationships arguably carry more weight than ever.
A second key theme was the cultivation of talent within the cyber security sector. It was noted that while specific technical skills can be taught, long-term organisational resilience requires security professionals who possess communication, adaptability, and cultural alignment. There was a clear emphasis on social mobility, framing, and bringing people into the industry with space to develop rather than expecting immediate expertise.
What also struck me was how strongly human factors continue to underpin both risk and resilience. Across discussions, there was a recurring acknowledgment that while technology can scale, automate, and support, it is ultimately people who make security work in practice. Whether through secure-by-default design, reducing friction in everyday processes, or creating environments where individuals feel confident to report concerns, the message was clear: effective security must meet people where they are.
The third theme, therefore, centred on bridging the gap between security design and everyday experience. Whether discussing secure-by-default tooling, employee enablement, or reducing unnecessary friction, speakers stressed that security controls must empower rather than obstruct. Poorly aligned processes not only frustrate employees but also drive insecure workarounds. Achieving effective protection requires designing controls that support how people actually work, not how we imagine they should.
The National Cyber Security Show made clear that the future of cyber resilience depends as much on behavioural insight as it does on technical strength. From how solutions are communicated, to how talent is nurtured, to how security is embedded within everyday workflows, the human element remains the thread that connects successful security strategies. Building long-term resilience requires investment not only in tools and technologies, but in behaviour, culture, and communication. Security must move beyond enforcement and instead focus on understanding, engagement, and empowerment if it is to be effective at scale.
At Sentra, this aligns directly with our approach. Our weekly cyber briefings translate current threats into clear, human-centric insight, explaining not just what is happening, but why people fall for certain attacks, how behaviours are influenced, and what people can do to respond effectively. Each briefing focuses on a recent real-world attack or emerging trend, breaks down the psychological and technical mechanisms behind it, and provides clear, actionable guidance to help staff recognise and respond to similar threats in their own environment.
By connecting what is happening in the threat landscape with how people actually think, decide, and behave, we help organisations move beyond awareness into sustained behavioural change. Ultimately, cyber resilience isn’t defined just by the technical tools an organisation deploys, but by the decisions its people make in the moments that matter most.
April 2026 | Lee Casey
Cyber security remains a critical organisational priority. Attacks occur with increasing frequency, and incur substantial financial, operational, and reputational costs to business. The cost of a single successful incident can cascade across an entire organisation, affecting customers, partners, and long-term trust.
Despite continuous advances in technical controls, most security breaches continue to involve human actions. Recent analyses by industry and academic bodies reinforce this point: a significant proportion of incidents still stem from everyday behaviours and decisions made by individuals (Verizon DBIR, 2025; Infosec Institute, 2024). While modern tooling such as password managers, single sign-on systems, and automated fraud detection has reduced certain categories of risk, the ability of threat actors to adapt their approaches means that human behaviours retain a core relevance.
As a result, improving the way people interact with technology is as essential as securing the technology itself (Verizon, 2024). This is well supported by empirical research demonstrating that human factors significantly influence vulnerability, and that interventions grounded in behavioural science can produce measurable reductions in risk (Khadka & Ullah, 2025; Pfleeger & Caputo, 2021).
At Sentra, we focus specifically on reducing human cyber risk. We create and deliver short, weekly cyber behavioural briefings that translate real-world attacks and emerging trends into practical actions employees can take in their day-to-day roles. Instead of relying on lengthy training modules or infrequent awareness campaigns, our approach brings cyber security to life in a way that staff truly connect with.
Our aim is straightforward: reduce human cyber risk by empowering staff to behave securely in the face of emerging threats.
The key message is that cyber security is now one of the biggest risks facing organisations, and while technology and attack methods will continue to evolve, people remain central to both the problem and the solution. With the right support, they can shift from being a key point of vulnerability to one of the strongest elements of cyber resilience.