Leadership versus workforce: Who shapes security culture most?

When news broke about the recent Jaguar Land Rover (JLR) cyberattack, it shook the UK manufacturing sector. Production lines were halted, sensitive data was stolen and the company reported losses of £485 million in just one quarter (source: TechDigest). Hackers exploited a zero-day vulnerability in a remote-access tool, deployed ransomware and disrupted operations across multiple plants (source: TraceSecurity).

In this article, Luke Appleby (pictured), Managing Director at Equilibrium Risk asks: If a global brand with deep pockets can be crippled, what does that mean for smaller manufacturers? It’s certainly a wake-up call: security isn’t just about technology, it’s about people. And that raises the big question: does security culture depend more on leadership or the workforce?

What the latest research says

Recent studies confirm that human error drives most breaches, between 68% and 90% of incidents involve mistakes or risky behaviour. The UK’s National Cyber Security Centre (NCSC) states that leaders have the biggest influence on security culture because their behaviour sets the tone.

At the same time, government guidance stresses that an engaged workforce is one of the most cost-effective defences. And according to Harvard Business Review, companies with strong security culture experience up to 50% fewer incidents than those relying on compliance alone.

Leadership: The catalyst for culture

Leaders shape security culture in four critical ways. First, they must model secure behaviour. If executives bypass multi-factor authentication, employees will assume security is optional.

Second, leadership needs to treat security as a strategic priority, not just an IT expense. Manufacturers that embed security into business strategy invest more in resilience.

Third, leaders should communicate why security matters in terms employees understand: safety, uptime and job security, rather than technical jargon. Finally, fairness matters. When everyone follows the same rules, trust grows.

As Stephen Phipson of Make UK warns: “Failing to get this right could cost the manufacturing industry billions and put thousands of jobs at risk.”

And here’s my perspective: “Better security builds better businesses. It starts with leadership, but it thrives on the factory floor.”

Workforce: Where culture lives day-to-day

Frontline employees bring security culture to life. Phishing emails, tailgating and weak passwords are everyday risks that can make or break security. NCSC emphasises that staff must feel safe to challenge suspicious behaviour without fear of blame.

Security champions on the shop floor boost compliance and engagement. Organisations with open reporting cultures resolve incidents faster and suffer less damage.

Think of it like safety culture. Manufacturing mastered ‘safety first’ by empowering workers to stop the line if something looked wrong. Security needs the same mindset: see something, say something, without fear.

UK context

In the UK, security culture isn’t just best practice, it’s backed by regulation and national guidance. Laws such as the Network and Information Systems (NIS) Regulations, UK GDPR and Health and Safety at Work Act all require organisations to implement robust security measures to protect data, systems and people.

To help businesses meet these obligations, the National Cyber Security Centre (NCSC) has published its Cyber Security Culture Principles and practical tools like ‘Exercise in a Box’, which allow companies to test their resilience against real-world attack scenarios.

Beyond compliance, the UK’s Industrial Strategy places security at the heart of innovation and productivity. As manufacturers adopt advanced technologies under Industry 4.0, the strategy emphasises resilience and trust as key enablers of growth. Security is no longer a bolt-on; it’s a foundation for competitiveness and supply chain confidence.

Industry bodies such as Make UK echo this message, calling for cultural change as digital adoption accelerates. Its reports highlight that technology alone isn’t enough – a proactive security culture is essential to protect intellectual property, maintain operational continuity and meet customer expectations.

The bottom line

The JLR attack proves that even giants can fall. Research is clear: leadership sets the tone, but the workforce makes it real. When leaders prioritise security and employees take ownership, breaches drop, resilience rises and trust grows.

As I tell manufacturers: “From the boardroom to the shop floor, we’re all security people, and our business is safer for it.”