Tris Morgan of BT on Building the Human Firewall

In today’s hyperconnected world, cybersecurity is no longer the exclusive domain of IT departments. It’s a boardroom issue, a cultural concern and a day-to-day priority for everyone in an organisation. For Tris Morgan, Managing Director of BT Security – part of the BT Group – the ever-evolving cyber threat landscape demands both technological innovation and a renewed focus on people.

With more than two decades of experience spanning cybersecurity, academia and government, Tris brings a human-centric approach to defence that resonates deeply across the telecommunications industry.

“Our role goes beyond technology,” he explains. “We provide strategic guidance that helps organisations of all sizes navigate cyber risk with confidence.

"Security is no longer just an IT issue, it’s a business-critical function – and BT is uniquely placed to support both the technology and human aspects of defence.”

The overlooked power of the human firewall

As technology evolves, so too do the attackers who exploit it. But amid AI-driven threats and complex malware campaigns, Tris argues that the weakest – and most powerful – link in any defence strategy remains the human element.

“Many organisations focus heavily on the latest tools and technologies, assuming that advanced attacks require equally as advanced defences. Yet, while technology is vital, it’s often people who can make the difference between an incident which is swiftly contained and one which ends in a costly breach,” he says.

The concept of the human firewall encapsulates the idea that employees who are trained and empowered can serve as the final layer of protection. “Overlooking the human firewall means overlooking one of the most critical parts of security.

"By investing in education and embedding security awareness and training into culture, organisations can transform their people into an active, resilient barrier against attack,” Tris adds.

The approach reflects a shift across the telecommunications sector, where digital transformation, cloud adoption and distributed workforces have expanded the attack surface. Strengthening people’s cyber instincts is now just as essential as deploying the latest firewalls or endpoint tools.

From tick-box to true engagement

Security awareness training has long been seen as a compliance exercise, an annual tick-box task. Tris challenges that mindset, arguing that genuine engagement is the key to building long-term resilience.

“Investing in a cyber-aware culture is what pays dividends to companies – this requires not just training but also buy-in from the top all the way down. Simple tick-box training rarely changes behaviour. To be effective, awareness programmes need to be practical, interactive and relevant,” he explains.

Gamified learning, quizzes and realistic phishing simulations all play a part in transforming dry content into memorable, actionable lessons. “Realistic phishing simulations are also particularly powerful. They give employees safe, hands-on experience of spotting and reporting threats,” Tris continues.

Crucially, training should be continuous, not a one-off exercise. “We know that hackers change their approaches all the time, so we need our people to be empowered to stay ahead,” he says. By tying training to real-world situations – from using public Wi-Fi to handling customer data – organisations can make security personal, not just procedural.

Simple errors, complex consequences

The biggest threats often come from the simplest mistakes. “The most common errors are surprisingly simple. Clicking on a phishing link, reusing weak passwords, leaving sensitive documents unattended or joining unsecured Wi-Fi networks are some of the most common,” says Tris.

Social engineering, he explains, remains one of the most effective tactics for attackers. “These errors usually stem from lack of awareness or pressure to act quickly, rather than negligence. Reducing them requires a mix of education and culture.

"Regular training, phishing simulations and clear procedures help build confidence in spotting suspicious activity. Encouraging and creating a safe space for a ‘stop and check’ mentality is key,” he adds.

When organisations move away from blame and instead promote openness and learning, employees become proactive defenders. “By creating a culture where vigilance is normal and errors are used as learning opportunities, organisations can significantly lower the risk of human-driven breaches,” Tris notes.

Adapting to the age of AI-powered threats

Artificial intelligence is transforming cybercrime. AI-generated phishing emails, deepfakes and context-aware scams are becoming increasingly convincing, eroding the reliability of traditional red flags such as spelling errors or poor grammar.

“AI is making phishing attacks more convincing than ever. Emails can now be tailored with context-specific details and even voice or video deepfakes. Traditional training that relies on spotting poor spelling or formatting is no longer enough. Awareness programmes need to adapt by focusing on behaviours rather than appearances,” Tris warns.

He stresses the importance of continuous adaptation. “Regular simulations that replicate AI-generated attacks will help staff build resilience against this new wave of threats. Importantly, training must evolve continuously alongside the threat landscape,” he says.

The lesson is clear: technology and education must evolve together. “AI has raised the stakes, pairing education with supportive technology, but with adaptive training and a strong human firewall, organisations can stay ahead of attackers,” Tris concludes.

Cyber resilience for every business size

For small and medium-sized enterprises (SMEs), the message is reassuring: cyber resilience doesn’t have to break the bank. “For smaller businesses, building cyber resilience doesn’t have to mean heavy investment.

"Training staff on how to recognise phishing, social engineering or suspicious physical activity is the most cost-effective way to strengthen defences,” says Tris.

Even simple steps, such as gamified training or phishing simulations, can make a significant difference. “Crucially, vigilance should be seen as everyone’s responsibility, not just the IT teams. Regular communication about threats, sharing lessons learned and rewarding proactive behaviour all reinforce this mindset,” he adds.

By combining education, policy and continuous improvement, SMEs can foster a culture where every employee contributes to security, serving as a collective shield against evolving threats.

A united front in the fight against cybercrime

As cyber threats grow in sophistication, the industry must remember that the strongest defences are built on people as much as on technology. Under Tris’s leadership, BT Security continues to champion the dual approach, uniting strategic innovation with human insight.

From the largest telecom providers to the smallest businesses, the path forward lies in collaboration, awareness and empowerment. By transforming every employee into a vigilant, informed participant in security, organisations can build not just defences, but resilience.

In Tris’s words: “Ultimately, the more colleagues understand how attackers are evolving and how to respond effectively, the better prepared they’ll be to protect themselves and the organisation.”