Let’s set the scene:
The digital world is moving faster than ever, and with that comes an increased risk of cyber mistakes. Whether it’s an employee clicking a suspicious link or skipping multi-factor authentication (MFA) for convenience, poor cyber behaviours can expose your business to significant threats.
But here’s the tricky part: how do you challenge these behaviours without causing embarrassment or defensiveness?
Equally, how do you respond when someone challenges your actions in the workplace?
Here’s how to handle both situations with professionalism and a focus on building a stronger, more resilient team.
How to Challenge Cyber Behaviours
Start with curiosity, not criticism
Instead of calling someone out, ask questions that encourage them to think about their actions:
• “Hey, I noticed you clicked that link—what made you think it was legitimate?”
• “I saw you using a USB drive from home—is it encrypted?”
This approach shows concern for the behaviour, not the person, and fosters dialogue.
Explain the “why,” not just the “what”
People are more likely to change when they understand the reasoning behind it. Frame your feedback with context:
• “Using a weak password might seem fine, but it’s one of the easiest ways hackers can get in.”
• “Forwarding sensitive work emails to a personal account could leave data exposed to phishing attacks.”
Keep it private
Nobody likes being corrected in front of others. Take the conversation offline:
• Find a quiet space to chat.
• Frame the discussion as a shared effort to improve security, not a personal critique.
Provide a solution
Challenge the behaviour while offering an immediate fix:
• “Let’s update your password together now—it’ll only take two minutes.”
• “Here’s a quick guide on spotting phishing emails. Let’s review it so we’re both more prepared next time.”
How to Respond if Challenged
Pause and listen
Hearing someone challenge your behaviour can feel uncomfortable, but it’s an opportunity to learn. Instead of reacting defensively, thank them for pointing it out:
• “Thanks for flagging that—can you explain what I missed?”
Acknowledge, don’t justify
Mistakes happen. Own up to them without making excuses:
• “You’re right, I should’ve checked before clicking. I’ll make sure to do that next time.”
• “Good point—I’ll enable MFA now so this account is more secure.”
Turn it into a learning moment
Ask for advice or resources to improve:
• “Do you have any tips on how to spot phishing attempts faster?”
• “What’s the best way to handle this situation in the future?”
Stay collaborative
Reassure your colleagues that you value their feedback and are part of the same team:
• “Thanks for bringing this up—it’s great we’re all working to keep the business safe.”
Why This Matters
Creating a culture where challenging cyber behaviours is encouraged—and responding constructively is the norm—is critical in 2025. Cyber threats are more sophisticated, and one misstep can have significant consequences.
Here’s how to ensure your team embraces this approach:
Normalise the conversation
• Include role-playing scenarios in training where employees practice challenging and responding.
• Recognise employees who identify risks or speak up about potential vulnerabilities.
Build psychological safety
• Reiterate that challenging poor behaviours isn’t about blame but about protecting the business.
• Make it clear that feedback is welcomed and valued at all levels.
Lead by example
• Executives and managers should demonstrate how to both challenge and respond appropriately.
• Share examples of how constructive feedback has led to improved security practices.
In Summary
Challenging cyber behaviours is not about pointing fingers—it’s about protecting the organisation and everyone within it. By approaching these conversations with curiosity, respect, and a focus on solutions, you build a culture of accountability and resilience.
And when someone challenges you, take it as an opportunity to grow and show that you’re committed to the same goal: keeping your business safe.
In 2025, this approach isn’t just good practice. It’s essential.