Financial services is the most targeted sector for cybercrime, year after year. Not because your systems are weaker. Because the payoff is bigger, and the humans inside your organisation are the easiest way in.
IBM X-Force Threat Intelligence Index (2024)
Of confirmed breaches involve a human element. Phishing, social engineering, credential misuse, insider error. The firewall held. The person didn't. That's not a technology problem. That's a behaviour problem.
Verizon Data Breach Investigations Report (2025), 22,052 incidents analysed
Measurable difference between annually trained and untrained groups. Your team clicks through it. They pass the test. They forget it by Thursday. And twelve months later they do it again.
Ho et al. (2025), UC San Diego / University of Chicago, n=19,500
Compliance training isn't a security strategy.
Banking is the sector that pioneered risk management. You have quantitative models for credit risk, liquidity risk, operational risk. You stress-test your balance sheet against extreme scenarios. You have entire teams whose job is to identify where things go wrong before they go wrong.
And then you train your people with a twenty-minute e-learning module once a year and call it a security culture.
The regulators want to see completion rates. So that's what you show them. But completion rates are not behaviour change rates. A person can pass a phishing awareness quiz and still click the link three hours later. Proofpoint's research of 7,500 employees across 15 countries found that 96% of people who took a risky security action knew it was risky when they took it. This is not an awareness problem. It is a behaviour problem.
The FCA and PRA are shifting their expectations. DORA raised the bar across the board. Demonstrable culture, not just documented programmes, is where the pressure is heading. The question is whether you get ahead of it or scramble to catch up.
What your people are actually up against
Business Email Compromise
Sophisticated impersonation attacks targeting finance, payments, and executive functions. The attacker knows the org chart, the processes, and exactly who to pressure. Annual training doesn't prepare people for that level of social engineering.
Vishing & Voice Fraud
AI-generated voice cloning, real-time deepfakes, caller ID spoofing. Voice-based fraud against bank employees is rising sharply. Your team needs to have actually experienced the pressure of a manipulative call before they're on the front line receiving one.
Third Party & Supply Chain
The attack surface isn't just your employees. It's every supplier, partner, and platform with access to your systems. Security culture needs to extend to how your people evaluate and manage third party access, not just spotting a phishing email.
Insider Risk
Whether accidental or deliberate, insider threat is a persistent problem for banking. Effective security culture means employees recognise when they're being used as a vector, and knowing what to do about it without needing a policy document to hand.
DORA raised
the bar on
human resilience.
The Digital Operational Resilience Act doesn't just require awareness. It requires demonstrated resilience, including how your people actually behave during an incident. Completion rates are not evidence of resilience. They are evidence of a process being followed. The controls on the right are where most banking organisations have a training gap.
Article references follow the final DORA text (Regulation EU 2022/2554), applicable from January 2025.
Train the instinct. Not the tickbox.
The Cyber Escape Room Co. builds immersive experiences that put your people inside a security scenario, not in front of a presentation about one. Physical escape rooms. Digital simulations. AI-powered vishing calls. Large-scale events for hundreds of employees at once.
The format is the point. When the scenario is real enough to create pressure, the decisions people make become real too. That's how behaviour changes. Not through information. Through experience.
We've worked with major banking and financial services organisations across the UK and internationally. The outcomes are measurable, the engagement is genuine, and the training doesn't feel like training. That is the whole idea.
Not a training programme.
A rehearsal for the real thing.
Put your team inside the incident.
Scenario-based physical experiences deployed at your premises. Groups of five work through carefully constructed scenarios under genuine time pressure: credential theft, executive impersonation, social engineering of staff, insider threat. The environment replicates the pressure and ambiguity of the real thing. The debrief is where the behaviour change consolidates.
Scale it across every branch, every team.
The same scenario logic and behavioural challenge as ESC, delivered digitally for dispersed workforces. Particularly relevant for banking operations with regional branches, remote compliance teams, and large contact centre populations. No logistics. No dilution of impact. Deployable to thousands of people simultaneously.
The attack vector your sector is most exposed to.
Finance teams. Treasury. Payments authorisers. Relationship managers. Banking roles that handle high-value transactions are the primary target for voice-based social engineering and CEO fraud. CTRL+Vish puts your people on the phone with an AI-powered visher. They navigate the conversation in real time, under real pressure, before it counts. The risk scores tell you exactly who needs more work.
Ready to stop ticking boxes?
Talk to us about what a behaviour-change programme looks like for your organisation. No deck. No long winded sales process. A real conversation about what you're trying to solve.