Culture is quietly sabotaging many companies’ cyber defences long before attackers arrive. 

Businesses can invest in top-tier tools and polished policies, but if everyday habits on the ground pull the other way, culture will win – and security will lose.

Cyber security expert Dr Adrian Davis illustrates the problem with an example of a Scottish chip‑making plant.  Staff were split between two rival Glasgow football teams and – after Old Firm derbies – tensions on the shop floor ran high.

It meant that managers had to rewrite shift patterns to keep the peace. The message was clear: chants, banter and grudges had more pull than any rulebook. Dr Davis says that – if a football score can reshape a rota – it shows how strong culture is when Directors ask their people to pause before clicking a link.

When cyber change fails

At February’s East Midlands Cyber Summit, Dr Davis spoke about corporate culture and why change initiatives fail if they are not aligned with the way things get done. He referred to the famous line: ‘culture eats cyber for breakfast’. Dr Davis suggested that, unless security initiatives fit and slowly reshape lived culture, they will stall like any other change project.​

Reading the room

Dr Davis told delegates that you can judge a company’s mindset just by walking through the door. Are there private offices or shared spaces? Is reception lively and open, or quiet and closed? Do senior leaders hide away or sit where people can see and speak to them? 

These details act like headline messages about what really counts. If bosses seem distant and the place feels shut down, staff are far less likely to speak up when something strange appears on their screen.

Stories inside the business tell their own tale too. In many firms, the ‘stars’ are the salespeople who bend rules to win a big deal – not the colleague who slows things down to follow the process. 

When internal legends praise cutting corners, working around security quickly becomes normal. The person who spots and stops a fake invoice often gets no airtime, even though they may have saved the company from a major loss.

Changing behaviours

In the end, cyber security comes down to behaviour. When the Board never mentions cyber in briefings, staff conclude it doesn’t matter. When IT jokes that the problem is ‘between chair and keyboard’, people learn that asking for help will make them look foolish. 

Posters and online modules won’t fix that.

Therefore, ‘culture eats cyber for breakfast’ is a warning shot. Until everyday routines, office setup and internal heroes all back safe behaviour, even the best security programme will be fighting an uphill battle.

• This post is part of a series based on content from speakers at the East Midlands Cyber Summit 2026. The Summit was delivered by East Midlands Cyber Security Cluster as part of its CyberGrowth programme.