BT: Why Human Firewalls Are Critical in AI Cybersecurity

Cybersecurity has always been a game of cat and mouse – but now the mice have AI and they’re getting very good at it.

Tris Morgan has spent over twenty years in the cybersecurity trenches, moving between industry, academia and government. 

Now, as Managing Director of BT Security, he’s watching the cybersecurity environment change in ways that would have seemed like science fiction just a few years ago.

“Our role goes beyond technology,” Tris explains.

“We provide strategic guidance that helps organisations of all sizes navigate cyber risk with confidence.

“Security is no longer just an IT issue, it’s a business-critical function – and BT is uniquely placed to support both the technology and human aspects of defence.”

His journey – from Silicon Valley startups to leading security strategy at one of the world’s most established telecoms giants – has taught him one crucial lesson: the fanciest tech in the world won’t save you if your people aren’t on board.

Drawing on his background in computer science and AI, Tris has a unique perspective on today’s threats. 

He sees both sides of the equation: the algorithms attackers are weaponising and the very human vulnerabilities they’re designed to exploit.

As AI-powered attacks become more sophisticated and harder to spot, this conversation with Tris gets to the heart of a critical question: in a world where machines can perfectly mimic your CEO’s voice or craft a flawless phishing email, how do you turn your employees from your weakest link into your strongest defence?

Why do you think the ‘human firewall’ is often overlooked in cybersecurity strategies?

Many organisations focus heavily on the latest tools and technologies, assuming that advanced attacks require equally as advanced defences. 

Yet, while technology is vital, it’s often people who can make the difference between an incident which is swiftly contained and one which ends in a costly breach. From small businesses to multinationals, people are central to keeping systems secure.

A ‘human firewall’ refers to employees who are trained and empowered to recognise and respond to suspicious activity. This layer is often undervalued, despite human error contributing to the majority of breaches. 

Attackers frequently exploit behaviour, trust or lack of awareness rather than purely technical gaps. In fact, employees may be the very last line of defence if automated systems miss something.

Overlooking the human firewall means overlooking one of the most critical parts of security. By investing in education and embedding security awareness and training into culture, organisations can transform their people into an active, resilient barrier against attack.

How can organisations make security training truly engaging, not just a tick-box?

Investing in a cyber-aware culture is what pays dividends to companies – this requires not just training but also buy-in from the top all the way down. 

Simple tick-box training rarely changes behaviour. To be effective, awareness programmes need to be practical, interactive and relevant. Bite-sized modules with quizzes or gamified elements work far better than long, one-off sessions.

Realistic phishing simulations are also particularly powerful. They give employees safe, hands-on experience of spotting and reporting threats.

Training should be ongoing, not a one-off exercise, with regular refreshers that reflect the evolving threat landscape. We know that hackers change their approaches all the time, so we need our people to be empowered to stay ahead.

Crucially, employees need to see why it matters to them personally as well as professionally. Linking training to real-world scenarios, such as working securely on public Wi-Fi or handling sensitive data, makes it more relatable.

Finally, transparent reporting and feedback can help teams track progress, celebrate improvements and feel part of a collective defence. When people are engaged, they don’t just complete training, forget about it and move on: they live it in their day-to-day roles.

What human errors most often lead to breaches? How can they be reduced?

The most common errors are surprisingly simple. Clicking on a phishing link, reusing weak passwords, leaving sensitive documents unattended or joining unsecured Wi-Fi networks are some of the most common.

Social engineering plays a major role. Attackers use tactics like pretexting, baiting and quid pro quo to trick people into sharing information. Tailgating, both digital and physical, is another overlooked risk.

These errors usually stem from lack of awareness or pressure to act quickly, rather than negligence. Reducing them requires a mix of education and culture. 

Regular training, phishing simulations and clear procedures help build confidence in spotting suspicious activity. Encouraging and creating a safe space for a ‘stop and check’ mentality is key. Staff should feel comfortable to question unexpected requests or report potential mistakes.

By creating a culture where vigilance is normal and errors are used as learning opportunities, organisations can significantly lower the risk of human-driven breaches.

With AI-powered phishing on the rise, how should awareness training evolve?

AI is making phishing attacks more convincing than ever. Emails can now be tailored with context-specific details, and even voice or video deepfakes. Traditional training that relies on spotting poor spelling or formatting is no longer enough. Awareness programmes need to adapt by focusing on behaviours rather than appearances.

Employees should be taught to verify unusual requests through trusted channels, pause before clicking and look for context clues rather than superficial signs. 

Regular simulations that replicate AI-generated attacks will help staff build resilience against this new wave of threats. Importantly, training must evolve continuously alongside the threat landscape. 

AI has raised the stakes, pairing education with supportive technology, but with adaptive training and a strong human firewall, organisations can stay ahead of attackers.

Ultimately, the more colleagues understand how attackers are evolving, and how to respond effectively, the better prepared they’ll be to protect themselves and the organisation. This is why training has to keep pace with the times and should be delivered regularly.

What affordable steps can SMEs take to build a culture of vigilance?

For smaller businesses, building cyber resilience doesn’t have to mean heavy investment. Training staff on how to recognise phishing, social engineering or suspicious physical activity is the most cost-effective way to strengthen defences.

Affordable training programmes now use gamification and realistic simulations, making them engaging as well as impactful. SMEs can also run simple internal tests, such as phishing email exercises, to reinforce good habits. 

Establishing clear policies, such as locking devices or verifying unusual requests, helps create a baseline of security culture.

Crucially, vigilance should be seen as everyone’s responsibility, not just the IT teams. Regular communication about threats, sharing lessons learned and rewarding proactive behaviour all reinforce this mindset.

Carrying out an audit of your security services to understand where vulnerabilities may lie and investing in training should also form a core part of any business’ protection plans.

Finally, SMEs should monitor and adapt as threats evolve. By combining training, testing and continuous improvement, even modest investments can transform staff into an effective human firewall.