Human factors and staff training

Stop Blaming Linda

Why your team clicks on dodgy emails - and why it's not their fault

---

Linda's been with the company for twelve years.

She knows every client by name. She remembers birthdays. She's the one who actually understands the filing system. When the new starter can't find something, they ask Linda. When a customer's upset, Linda calms them down. She's the heart of the operation.

Last month, Linda clicked on a phishing email.

It looked like it came from the MD. It said there was an urgent invoice that needed paying. Linda, being Linda, wanted to help. She clicked the link. Entered her login details on what looked like a normal page.

Within two hours, someone was in the company email system. Within four hours, fraudulent payment requests had gone out to three suppliers. Within a day, the business had lost eight thousand pounds.

And everyone blamed Linda.

The Blame Game

I've seen this happen dozens of times. A breach occurs. Someone clicked something they shouldn't have. And immediately, the finger points at that person.

"How could they be so stupid?"

"It was obviously a scam."

"Anyone could see that wasn't a real email."

Could they? Really?

Go look at your inbox right now. Find the last phishing attempt that got through your spam filter. Look at it carefully. Now imagine you're busy, you're stressed, you've got fifteen things to do, and this email appears to be from your boss asking for something urgent.

Still obvious?

The criminals who craft these emails are professionals. They study how businesses communicate. They research company structures. They time their attacks for busy periods. They prey on exactly the qualities that make someone like Linda good at her job - helpfulness, responsiveness, trust.

Linda didn't fail. The system failed Linda.

The Real Weakness

Here's what I've learned after four years of helping businesses with security: the technology is rarely the problem.

Most small businesses have decent firewalls. They've got anti-virus software. They've updated to reasonably current systems. The digital defences are... fine.

The gap is human.

Not because humans are stupid. Because humans haven't been equipped. They've been given computers and email and access to systems, but nobody's ever sat them down and said: "Here's what a phishing email looks like. Here's how to check if a link is genuine. Here's what to do if you're not sure."

We expect people to know this instinctively. They don't. Why would they? It's not intuitive. It's not obvious. It requires specific knowledge that most people have never been taught.

When Linda clicked that link, she wasn't being careless. She was being helpful, in the absence of training that would have helped her be helpful and safe.

The Training Gap

Let me ask you some questions about your business:

When did you last train your staff on cyber security?

Not "sent them an email about being careful." Actual training. Face to face, or at least interactive. With examples. With practice. With the chance to ask questions.

Do your staff know what a phishing email looks like? Not in theory - could they identify one in their inbox right now, under time pressure, when it's well-crafted?

Do they know what to do if they're unsure? Is there a clear process? Someone to ask? A way to check without feeling stupid?

Do they know it's okay to slow down? That checking a suspicious email won't get them in trouble for being too cautious?

If you can't answer yes to all of these, you have a training gap. And that gap is your real security weakness - not Linda.

What Good Training Looks Like

I've seen bad security training. Death by PowerPoint. Hundred-slide decks about "cyber hygiene." Jargon nobody understands. Scare tactics that make people anxious but don't actually help them.

Good training is different.

It's practical. Real examples of real phishing emails. Actual screenshots of scams that have targeted businesses like yours. "Here's what to look for. Here's how to check."

It's interactive. Not just listening - doing. "Here's an email. Tell me if it's legitimate. Here's why it's not." Let people practice in a safe environment.

It's blame-free. The goal isn't to catch people out. It's to build skills. If someone falls for a test phishing email, that's a learning opportunity, not a disciplinary matter.

It's regular. Not once a year. The threats evolve constantly. Quarterly refreshers, at minimum. Quick sessions, fifteen minutes, keeping it front of mind.

It's relevant. Finance teams need different awareness than warehouse staff. Tailor the training to what people actually encounter in their roles.

What We Do at Simpson & Sons

Every quarter, we run a security refresher. Fifteen minutes, everyone in the room, biscuits provided.

I share the best phishing attempts we've received since last time. We look at them together. We spot the red flags. People compete to find the tells first - it's become a bit of a game.

We talk about what's changed. New scams. New techniques. The latest thing criminals are trying.

We remind everyone of the process: if you're not sure, ask. Forward it to Danny. Check before you click. No blame, no judgement, just checking.

And we celebrate catches. When someone spots a phishing attempt and reports it, we acknowledge it. Kev caught a sophisticated one last month - looked exactly like a delivery notification from our actual courier. He's still proud of himself.

The team isn't a liability anymore. They're a detection system. Dozens of eyes, all trained to spot trouble, all empowered to raise the alarm.

The Linda Transformation

Remember Linda from the start of this story? She's not at Simpson & Sons - she's a composite of real people I've met, in real businesses, who've been blamed for clicking things.

But I've watched Lindas transform.

The person who clicked the phishing link, who felt terrible, who thought they might lose their job - with proper training, they become the most vigilant person in the building. They never want that feeling again. They check everything. They ask questions. They become advocates.

Kev was our Linda. He clicked on everything. Special offers, fake invoices, "urgent" requests from people he'd never heard of. His curiosity was a liability.

Now he's our human firewall. Questions everything. Trusts nothing. Calls me over to look at emails that turn out to be completely legitimate, just because something felt slightly off.

I'd rather have Kev checking too much than clicking without thinking. That transformation came from training, not blame.

The Cost of Blame

When you blame someone for a security incident, several things happen:

They stop reporting. If clicking the wrong thing gets you in trouble, people hide their mistakes. That phishing email someone fell for? They won't tell you. They'll hope it goes away. By the time you discover the breach, it's ten times worse.

Others stop asking. The person who was going to check if an email was legitimate? They saw what happened to Linda. They're not asking now. They'll just click and hope for the best, or delete things that might actually be important.

Culture turns toxic. Security becomes about not getting caught instead of actual protection. People work around systems instead of with them. Fear replaces vigilance.

You miss the real problem. While you're disciplining Linda, you're not asking why Linda didn't know better. The training gap stays open. The next Linda is already in your inbox, about to click.

Building a Security Culture

The opposite of blame is empowerment.

Make reporting safe. "If you click something suspicious, tell us immediately. You won't get in trouble. The faster we know, the faster we can respond." Mean it. Prove it by how you react when it happens.

Make checking easy. A clear process. A named person to ask. A way to verify that doesn't feel like bothering someone. "Just forward it to Danny" is our rule. Danny never makes anyone feel stupid for asking.

Make learning continuous. Regular training. Relevant examples. Ongoing conversation. Security isn't a one-time event - it's a culture.

Make success visible. Celebrate catches. Acknowledge vigilance. When someone spots a phishing attempt, tell everyone. Build pride in the team's collective defence.

The Real Risk

Your biggest cyber security risk isn't Linda.

It's the gap between what Linda needs to know and what Linda's been taught.

Close that gap, and Linda becomes your greatest asset. She's the one who notices something's off. She's the one who asks before clicking. She's the one who sounds the alarm.

Keep blaming Linda, and you'll always have another Linda. Another click. Another breach. Another scapegoat who was never given the tools to do better.

Stop blaming Linda.

Start training her.

---

Jim Simpson is an SME Cyber Resilience Consultant with TransCrypt. He would like to confirm that no actual Lindas were harmed in the writing of this blog post, and that the Linda composite character is now thriving at a company with excellent security training.