While cyberattacks are growing ever more sophisticated, they continue to rely on the same weak point: basic human error. A rushed click on a phishing link, a colleague too afraid to admit that they accidentally downloaded a suspicious file, or a contractor unsure whether to escalate a suspected breach – it’s these moments of doubt, hesitation or silence that serve as gateways for cyberattackers to exploit.

Despite this, cyberbreaches are often regarded as a failure of technology, rather than a failure of culture. As a result, organisations (rightly) pour investment into technical solutions, from stronger firewalls to smarter AI, but often overlook a crucial human line of defence: a culture that empowers its people to speak up. Psychological safety may not feature in your IT infrastructure diagram, but it could be your most powerful protective layer.

Why Psychological Safety Matters

At a conference earlier this year, I heard Sarah Armstrong-Smith, Chief Security Advisor at Microsoft, challenge conventional thinking around cybersecurity. Her message was simple but under-recognised: psychological safety – the belief that you can speak up without fear of embarrassment or punishment – is one of the most underused tools in an organisation’s cybersecurity toolkit.

If employees feel safe to raise concerns, report mistakes, or challenge poor digital habits without reprimand, organisations are far more likely to detect threats early, before they become crises.

Crucially, fostering a culture of openness and psychological safety doesn’t mean removing accountability. It means creating the conditions where people feel confident and equipped to act responsibly, even when the stakes are high. And that’s where internal communications have a vital role to play.

How can internal communicators cultivate psychological safety?

Internal communications form the frame on which an organisation’s culture is built. They shape the stories employees tell each other, but also themselves, about what’s valued, rewarded, and safe to do at work. To build a culture that is psychologically safe, and therefore more secure against cyber-invasion, proactive and thoughtful internal communications are essential.

Here are three principles to guide your approach:

1. Proactively normalise early reporting

Most organisations deliver mandatory phishing and cybersecurity training, which urges employees to speak up when they suspect a cyber breach. This reflects the flawed assumption that being told to do something is the same as feeling safe to do it – which is not the case.

Internal communications can close this gap between understanding the protocol and feeling confident enough to actually follow it. Use storytelling to spotlight individuals or teams who flagged a threat, admitted a mistake, or asked a “stupid” question that turned out to be the right one. In other words, frame reporting as a sign of maturity, rather than a failure – as something that’s rewarded, rather than simply tolerated or quietly judged. And crucially, share these stories proactively, before an incident occurs.

2. Use language that empowers, not frightens

Cybersecurity communications often default to fear-based language, highlighting the potentially severe risks of small missteps, like clicking on a malicious link or downloading the wrong file. It’s understandable, but counterproductive: fear discourages openness, and when such mistakes do occur, employees often stay silent.

Instead, shift the narrative from fear to empowerment. Position every employee as a key player in the organisation’s security posture, highlighting what they can do, not just what they mustn’t. In clear, compelling language (rather than technical jargon), help employees to feel what they stand to protect, rather than what they risk breaking. Because when people feel informed, trusted, and confident, they’re far more likely to act when it matters.

3. Create feedback loops that invite openness

Psychological safety is built on trust, and trust is built through dialogue, not monologue. To build true resilience, create safe, accessible channels for employees to ask questions, surface concerns, or offer suggestions related to cybersecurity. This could look like recurring “ask me anything” sessions with IT leaders, a monitored anonymous feedback tool, or dedicated Slack channels for digital safety.

Whatever the mechanism, internal communications should design and promote these spaces, ensuring they’re visible, approachable, and genuinely listened to.

Psychological safety is a security measure – and it starts with internal comms

Of course, technical defences will always be essential, but they’re only part of the picture. The difference between a contained incident and a catastrophic breach can often come down to whether someone felt safe enough to say something.

That’s why psychological safety is a strategic necessity, rather than a cultural ideal, and internal communicators have a unique responsibility to shape the conditions that allow it to flourish. By embedding psychological safety into the everyday culture of work, we help close the gap between policy and practice, between knowing and doing. And, in a world of constant digital threat, that cultural foundation could be the strongest firewall an organisation has in its arsenal.