Chris BrittonIn today’s hyper-connected world, it’s clear certain industries are becoming prime targets for cybercrime.
Our latest analysis of ICO data shows nearly 22,000 businesses and public sector organisations self-reported data breaches between 2023 and Q1 2025.
The health sector has the highest rates of self-reporting for personal data breaches, totalling 3,820 between 2023 and 2025 (up to Q1). In close second is education and childcare (3,246), followed by retail and manufacturing (2,385) and finance, insurance and credit (2,175).
Many of these sectors are also heavily regulated and operate under close public scrutiny. Because of this, organisations often adopt a risk-averse reporting approach.
However, as breaches become more prevalent, it is increasingly important to consider not just the technical aspects of data security but also the impact on employee wellbeing.
UK GDPR legislation defines a personal data breach as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”
Examples include sending an email to the wrong recipient, a lost laptop containing personal data, a cyberattack that exposes customer records or staff sharing sensitive data inappropriately or without authorisation.
Why your work environment plays a key role in data protection
It’s important that companies recognise the impact a potential data breach can have on wellbeing, especially if the current work environment already has a negative impact on employee engagement.
Currently, over half of UK employees say the demands of their job cause excessive stress and the latest research shows poor employee mental health costs UK employers £51bn a year, with 63 percent experiencing at least one symptom of burnout.
A poor work environment can increase the likelihood of cyber breaches through negative behaviours. Anxiety and stress at work can impair judgment, leading to poor decision-making and an increased chance of falling for social engineering tactics.
Rushed, fatigued, or overworked employees may not prioritise security. Developers may skip security if under pressure, and 74% of people say they would ignore cybersecurity guidance to meet business goals.
An ICO investigation can cause additional anxiety among staff until the business implications are clear. System access may be restricted and normal work disrupted during this period, leading to notable effects on employee morale, especially if client data is at risk.
So, what actions can companies take?
1. Create a culture of clarity and protection
A positive security culture doesn’t mean actions lack consequences. Employees should feel safe to ask questions, and report concerns.
This can be tricky to push if some employees already have a negative perception of workplace security.
A constant stream of security alerts can overwhelm employees, causing them to ignore even important messages. Managing numerous passwords and new work applications can compromise password security, as employees often reuse or create weak passwords.
Setting unrealistic deadlines for security training can lead to stress and frustration, leaving employees feeling overwhelmed rather than prepared for a data breach.
To improve the cybersecurity outlook, involve employees with regular phishing simulations and instant positive feedback for reporting suspicious activity. Making training interactive maintains engagement and helps foster a culture of appreciation.
Our research found that when employees feel appreciated at work, 88% are more likely to work harder for the business. This is why it can also be helpful to introduce recognition programmes to reward employees who follow best practices.
2. Help employees manage stress
According to research, 95% of cyber breaches result from human error, and, as mentioned earlier, overwork and stress can be significant contributors to mistakes that lead to data breaches.
This is why it’s important to ensure all project planning includes breathing room for employees, allowing space for security considerations and for mistakes to be made and fixed.
There also needs to be collaboration across all departments to make sure the impact of a data breach is evenly spread and that the stress doesn’t just fall on one team to resolve the issues.
For example, HR and IT should collaborate to safeguard sensitive employee and client data, and ensure that staff are aware of support available for mental wellbeing in the event of a data breach.
This may include Employee Assistance Programmes (EAPs), which support staff with issues like stress at home or work, financial difficulties and family and relationship concerns. Wellbeing benefits and talking therapies are an essential offering, helping all employees manage conflicting priorities, difficult emotions and common life stressors.
3. Prepare a breach response in advance
Although you can’t predict the timing and nature of a cyber incident, good incident management can reduce the financial, reputational, and operational impact of a breach.
It will also help alleviate fears and anxiety in the workforce if staff know that precautions are already in place and understand what is expected of them in the event of an incident.
Being well prepared also means legal obligations are complied with early and openly, with prompt and decisive actions restoring public confidence and trust, and reassuring shareholders.
Define clear procedures for notifying internal stakeholders, both employees and board members, as well as external parties like customers and stakeholders.
Make sure these documents are available and accessible to all staff and that you all communicate where documentation is saved. There’s no point having a breach response plan, if no one in the company knows it exists or where to find it.
4. Offer real-time cybersecurity training
The sophistication of cyber threats is continually evolving, and business leaders must stay ahead by providing training that is both relevant and easily accessible to all employees.
Make security training both interactive and rewarding whenever possible. By keeping employees engaged, you’ll ensure they see cybersecurity as part of their job, not just IT’s responsibility.
Instead of isolated sessions, provide ongoing interactive cybersecurity training, like real-world simulations and gamified activities, to increase retention and daily security awareness.
Practical and engaging training ensures that employees remain security-conscious in their daily work.
Chris Britton is people experience director at Reward Gateway | Edenred
