A Creative Consultancy’s Cyber Wake-Up Call

This creative consultancy operates at the intersection of design and technical delivery within the AEC sector. Working on fast-paced, multi-stakeholder projects, the team manages sensitive client information daily. With between 30 and 60 staff, they rely on streamlined collaboration and trust, both internally and with clients. As the business scaled, leadership recognised that protecting this trust meant looking beyond firewalls and antivirus tools, and tackling one of the biggest risks of all: human behaviour.

Industry: Creative and AEC

Organisation Size: 30–60 staff

Service Areas: Cybersecurity Training, Risk Management, Policy Compliance

‍

The consultancy had the right technical defences in place, firewalls, antivirus, secure cloud platforms, but one critical gap remained: people. Day-to-day, employees handled sensitive client data under tight deadlines, often switching between tools and communication platforms. That pressure created a vulnerability.

A close call involving a phishing email acted as a wake-up call. It wasn’t just about stopping viruses or patching software; the real risk lay in user behaviour. Leadership recognised they needed to level-up awareness across the team and build a stronger, more informed culture around cybersecurity: one that could scale with the business and stand up to scrutiny from clients and compliance auditors alike.

To turn awareness into action, the consultancy rolled out a structured, human-focused security programme. We deployed our Cyber Awareness and Training Suite: a cloud-based platform designed to engage users, not just tick compliance boxes.

Key elements included:

• Tailored Training: Every employee received role-specific cybersecurity training, designed to be clear, relevant, and easy to absorb.
• Real-World Simulations: Phishing simulations were sent out periodically, testing the team’s reflexes and helping identify areas that needed reinforcement.
• Dark Web Monitoring: We introduced ongoing checks for exposed credentials: a behind-the-scenes layer of defence that gave the leadership team greater peace of mind.
• Policy Acknowledgement Tracking: Every staff member signed and tracked key IT policies through the platform, providing a clear audit trail for governance and client assurance.
• Adaptive Risk Scoring: Users received a risk score based on behaviour and training progress, helping the business understand where attention was most needed.

This wasn’t a one-off training day: it was an ongoing investment in resilience.

Within just a few months, the consultancy had transformed its approach to cybersecurity from reactive to proactive. Employees were noticeably more alert to common threats, and phishing simulation click-through rates dropped significantly: a strong sign that training was landing where it needed to. Every staff member completed their awareness modules, building a shared understanding of the role each person plays in protecting sensitive client data.

Real-time risk scoring and credential monitoring helped the leadership team identify vulnerabilities early, before they became real-world problems. The firm now has a full audit trail of compliance and policy acknowledgements, equipping them for tighter procurement requirements and future growth.

Most importantly, security is no longer seen as a background IT concern: it’s become a shared responsibility embedded in the everyday habits of the team.