Knowing how something works doesn't protect you from it.
Your editorial teams understand narrative. Your marketing people understand persuasion. Your producers, journalists, and designers are professionally sceptical. They know how a story is constructed. They know when they're being sold something.
And yet media organisations remain one of the most successfully attacked sectors for phishing, ransomware, and social engineering. Not because the people are naive. Because knowledge and instinct are two different things.
Knowing that phishing exists does not train your amygdala to pause under pressure. Knowing that impersonation attacks are rising does not mean you'll spot one when it arrives in your inbox at 5:45pm on a Friday as an urgent request from someone who looks exactly like your CEO.
The only thing that changes behaviour is rehearsal. Experiencing the scenario before it's real. That's what we build at The Cyber Escape Room Co.
Positive feedback from The Telegraph's first cyber escape room programme. Word spread so fast they ended up with a waiting list. People were stopping their CISO in the corridor to say how much they loved it.
Andy Bagnall, CISO · The Telegraph
Of confirmed breaches involve a human element. For media organisations, where staff regularly receive unsolicited files, external contacts, and press enquiries, every one of those touchpoints is an attack surface.
Verizon Data Breach Investigations Report (2025), 22,052 incidents analysed
Measurable difference between annually trained and untrained groups. Your people sat through it. They ticked the box. The next phishing email landed in their inbox and it looked exactly like the ones they were warned about.
Ho et al. (2025), UC San Diego / University of Chicago, n=19,500
What the sector actually says
This was our first time running cyber escape rooms at The Telegraph, and we were blown away. Word spread so quickly we ended up with a waiting list, and people were stopping me in the corridor to tell me how much they loved it. Many expected it to be technical, but the experience was hands-on, accessible, and genuinely fun. The puzzles and props brought the learning to life in a way that traditional training just doesn't. We've now built this into our ongoing L&D and cyber awareness programme and are already planning our next round of sessions.
We ran the first of what will be many events that raise security awareness within the company in a really fun and informative way. Feedback from the participants was extremely positive and off the back of that we are overbooked for the next two. Cyber doesn't always have to be boring - and it NEVER is when Amy's in the room.
What your people are actually up against
IP Theft & Editorial Compromise
Unreleased content, source identities, exclusive stories. Media organisations hold high-value information that state actors, competitors, and criminals are actively trying to reach. Your staff are the route in.
Targeted Journalist Attacks
State-sponsored actors specifically target journalists covering sensitive topics. Spear phishing, fake source outreach, malicious file attachments. The sophistication of these attacks is proportional to the value of the story.
Ransomware & Broadcast Disruption
Ransomware attacks against broadcasters and publishers are rising sharply. The goal is often disruption as much as extortion, and the reputational cost of going dark mid-broadcast is enormous regardless of whether the ransom is paid.
Third Party & Freelancer Risk
Media organisations work with a high volume of external contributors, freelancers, agencies, and production partners. Every external collaboration is a potential entry point. Security culture needs to cover how your permanent staff manage those relationships.
training that works because it doesn't feel like training.
The Cyber Escape Room Co. builds experiences that your people actually want to do. Physical escape rooms deployed at your premises. Digital simulations for remote teams. Large-scale events that put an entire organisation through a cyber scenario at once.
The format matters because engagement matters. A person who is genuinely invested in the scenario is a person whose brain is actually processing what's happening. That's the difference between information that fades by Thursday and instinct that holds under real pressure.
For media organisations specifically, the debrief is often as valuable as the experience itself. The conversations that happen when a team realises what they nearly did (or actually did) in a simulated scenario are exactly the conversations that need to happen before the real one arrives.
Not a training programme.
A rehearsal for the real thing.
Put your team inside the incident.
Scenario-based physical experiences deployed at your site. Groups of five work through carefully constructed media-sector scenarios under genuine time pressure: credential theft, phishing, social engineering, data handling failures. The debrief is where the behaviour change consolidates -- and where teams start talking about real situations they recognise from their day jobs.
The attack that works because your people are accessible.
Journalists, producers, and editorial staff take calls from unknown people as a matter of professional habit. That makes them a high-value target for voice-based social engineering, fake source outreach, and impersonation attacks. CTRL+Vish puts your people on the phone with an AI-powered visher before the real one calls. They experience the pressure, the manipulation tactics, and the moment they nearly gave something away -- in a safe environment.
An experience your whole organisation will actually talk about.
Media organisations know that how something is produced shapes how it lands. SPACE_ brings that same thinking to cyber security -- large-scale immersive events designed for hundreds of people at once. Conference takeovers, awareness month activations, all-hands experiences. The production values match the expectations of an audience that makes content for a living. The behaviour change is the point.
Ready to see what your team does under pressure?
Get in touch and we'll map the right experience to your workforce, risk profile, and your current awareness programme, and show you exactly where the gaps are.