In the rush to integrate AI, many organisations believe they have established a secure foundation to manage its potential risks. And, according to our recent report, Cyber Resilience 2025: Futureproofing AI Adoption, 85% of cyber risk owners express confidence in their AI security policies.
However, this sense of security may be premature.
Only 34% of employees are even aware that these policies exist. This gap between employer confidence and employee awareness poses a critical threat to organisational resilience, as the most advanced policies are only effective when widely understood and actively followed.
In this blog, we explore how organisations can bridge this gap by promoting an inclusive, practical approach to resilience – equipping employees to become active participants in securing AI-driven workplaces.
We’ll also offer a glimpse into our upcoming webinar, Cyber Resilience: Extinguishing Cyber Threats Before They Spread, featuring cyber expert Rob Demain’s advice to take into consideration for your 2025 plans.
The Awareness Gap: Key Findings from the Research
The report highlights several insights that underscore the importance of aligning cyber security policies with employee awareness and engagement:
- Low Employee Awareness of Cyber Policies
With only a third of employees aware of existing AI security policies, many organisations operate with a limited protection scope. This awareness gap suggests that cyber security and AI policies are often confined to certain teams or shared only during the onboarding phase, failing to reach the wider workforce. When policies are not clearly communicated and reinforced, they risk becoming siloed, and ultimately ineffective. - High Usage of Unauthorised AI Tools
According to the report, 62% of employees have used generative AI tools like ChatGPT or Copilot, with 41% doing so at least once per week – often without organisational approval. While such tools can undoubtedly enhance productivity, unregulated AI usage can expose sensitive information to third parties and introduce potential vulnerabilities. E2e-assure founder, Rob Demain, raised during the International Cyber Expo 2024 that despite this, we should not blame employees for negligence as it is the employer’s responsibility to ensure policies are put in place and followed. - Confidence Versus Reality
The significant gap between employers’ confidence in policies and the on-the-ground reality points to a need for greater cohesion. This disconnect reveals that confidence alone does not translate into comprehensive resilience and highlights the necessity of a unified, inclusive approach to cyber security.
Bridging the Gap: Steps for Building a Resilient AI-Driven Organisation
Addressing this disparity requires more than creating policies; it needs a deliberate strategy for cultivating awareness, engagement, and proactive participation across all levels of an organisation. These steps provide a practical framework for moving from policy confidence to policy coherence.
- Elevate Employee Engagement and Awareness
A resilient organisation requires that every employee, from entry-level staff to executives, is aware of and understands AI security policies. To achieve this:
- Simplify Communication: Policies should be written in accessible language, with clear examples and visual aids where possible. This ensures that complex security practices are understood by all employees, regardless of technical background.
- Integrate Regular Training: Establish quarterly or semi-annual training sessions that cover AI use, cyber risks, and the organisation’s specific policies. These sessions should be interactive and relevant to employees’ daily workflows.
- Encourage Employee Feedback: Employees are often the first to notice policy gaps or challenges. By creating an open channel for feedback, organisations can gain insights from those who are directly impacted by policies, enabling continuous improvement.
- Create Simple and Practical Security Guidelines for End Users
To foster adherence, it’s crucial to design security protocols that are easy for employees to incorporate into their daily routines. Complex guidelines are more likely to be bypassed or forgotten.
- Implement Intuitive Security Tools Automated security measures, like password updates and data encryption, can run seamlessly in the background, reducing the burden on employees while maintaining essential protection. By adding automatic containment actions that isolate potentially compromised end-user devices (EUD), organisations can swiftly limit risk, reducing the potential impact of employee device vulnerabilities.
- Offer Clear AI Usage Policies: Since unauthorised AI tool use is widespread, organisations must establish clear, well-communicated guidelines for approved tools and usage practices. By addressing the risks and benefits of specific AI tools, employees can make informed choices aligned with organisational standards.
- Choose the Right Cyber Security Partner to Support a Resilient Framework
Partnering with a cyber security provider who understands both the risks and potential of AI adoption is vital. The right provider offers both technical support and expertise to help organisations implement effective, flexible security solutions.
- Collaborate on Cyber Security Roadmaps: A robust cyber security roadmap takes both present and future AI integration into account. Work with a provider to craft a roadmap tailored to your organisation’s growth, helping to anticipate new challenges and pre-empt emerging threats.
- Enable Continuous Threat Monitoring: Given the dynamic nature of AI-related threats, real-time monitoring is essential. The right provider will deliver 24/7 monitoring and a rapid response system, keeping organisations protected against new, unanticipated risks.
- Foster a Cyber-Resilient Culture
True resilience is as much about organisational culture as it is about technology. When employees at all levels view cyber security as part of their role, policies become more than rules—they become embedded in the company’s daily practices.
- Recognise and Reward Cyber-Conscious Behaviours: Highlight employees who exhibit strong cyber security practices, whether through training participation, proactive reporting, or adherence to guidelines. Positive reinforcement can encourage others to follow suit.
- Promote a Resilience-First Mindset: Share cyber security updates and success stories regularly to reinforce the message that everyone has a role in maintaining resilience. When leaders communicate the importance of these practices, they set a tone that cascades through the entire organisation.
Conclusion
Building a resilient AI-driven organisation requires more than just strong security policies—it’s about closing the gap between leadership confidence and employee awareness. If you’re interested in exploring how to strengthen your organisation’s defences, join us for the upcoming webinar, Cyber Resilience: Extinguishing Cyber Threats Before They Spread, where cyber expert Rob Demain will share actionable strategies for a resilient 2025.
Join Us to Stay Proactive: Cyber Resilience Webinar
During the LinkedIn live session, cyber veteran Rob Demain will provide in-depth strategies and expert insights on building an inclusive, resilient workplace. Participants will understand the foundations of resilience and resistance and the defenders’ approach to resilience in SecOps.
Plus, an opportunity to ask your questions to an industry ahead of your strategy being set for 2025.
Register here: https://www.linkedin.com/events/cyberresilience-extinguishingcy7252596599665692672/theater/