A Hamburg–Lisbon startup is turning agricultural waste into protein powder using microbes, producing vegan dog treats today and working towards reshaping tomorrow’s food system.

MicroHarvest

MicroHarvest was founded in 2021 by Katelijne Bekers, Luísa Cruz, and Paulo Teixeira, and operates between Hamburg and Lisbon. The company specialises in microbial fermentation, a process that uses bacteria to convert by-products from the agricultural industry into protein-rich biomass.

At its Lisbon pilot plant, based in a former military food factory now known as the Unicorn Factory, large fermenters are filled with microbes and fed residual sugars from crops. Within 24 hours, those microbes multiply rapidly, creating a thick broth that is harvested, inactivated, and dried into a beige powder resembling flour. The result is a product with over 60 per cent protein content, alongside fibre, essential amino acids, iron, and vitamin B2.

MicroHarvest describes its approach as sustainable, scalable, and highly efficient. A life-cycle analysis suggests its process generates only 1.4 kg of CO₂ per kilogram of protein, two to three times less than most plant-based proteins and dramatically less than beef or dairy.

What Products Are Already on the Market?

While human consumption awaits regulatory approval, MicroHarvest has already moved into the pet-food sector. For example, in 2024, the company partnered with German brand VEGDOG to launch Pure Bites, a dog treat made with microbial protein, potato, and apple pomace. The snack was introduced at Interzoo Europe, one of the continent’s largest pet-food trade events, and is marketed as hypoallergenic, nutritious, and suitable for dogs with intolerances.

Dogs More Receptive To Microbial Protein Treats

Interestingly, palatability trials carried out by MicroHarvest found that dogs were more receptive to microbial protein treats than to poultry-based alternatives, with 85 per cent acceptance compared to 75 per cent. Also, a consumer survey across the UK and Germany showed similar openness, with around 78 per cent of dog owners saying they would consider buying pet food containing microbial protein.

This early focus on pet nutrition appears to make sense for the company as the animal feed and pet food sectors are less tightly regulated than human products, thereby enabling a faster route to market. They also represent a growing sector where sustainable, alternative protein sources are in high demand.

How the Technology Works

MicroHarvest’s process is based on microbial fermentation, a technique familiar from traditional foods such as yoghurt, kefir, and sauerkraut. The company cultivates specific bacterial strains in bioreactors, using agricultural by-products like molasses or other sugar streams as feedstock.

Once the microbes have multiplied, the biomass is separated, the cells are inactivated through heat treatment, and the material is dried into a stable protein powder. The entire cycle takes less than a day, compared with months for growing soy or years for raising livestock.

According to the company, the method reduces land use by up to 99 per cent and cuts carbon emissions by more than 70 per cent compared to beef. Also, because the process is carried out indoors, it can be established close to existing food or feed industries, bypassing the need for extensive farmland.

Why It Matters for Sustainability

The global demand for protein is expected to increase by around 50 per cent by 2050. Meeting that need through conventional farming would intensify deforestation, water use, and greenhouse gas emissions. Alternative proteins are seen as essential to bridging the gap without worsening environmental pressures.

A 2022 study in Nature suggested that replacing just 20 per cent of global beef consumption with microbial proteins could halve annual deforestation rates by mid-century. For companies like MicroHarvest, these figures highlight the potential of microbial protein to play a serious role in climate and food-security strategies.

MicroHarvest’s stated aim is to deliver protein that is not only sustainable but also versatile. Beyond dog treats, the company is developing applications in aquaculture feed, livestock diets, and eventually human food products such as shakes, protein bars, and dairy alternatives.

The Wider Landscape of Fermentation-Based Proteins

It’s worth noting here that MicroHarvest is certainly not alone in pursuing microbial solutions. The sector has attracted nearly $1 billion in global investment over the past year, with Europe claiming close to half of that. Examples of other companies in this space include:

– Finland’s Solar Foods, which has developed Solein, a protein made from microbes fed with hydrogen and carbon dioxide captured from the air. Its first commercial facility is under construction and it has received approval for human consumption in Singapore.

– Germany’s Formo, which is using precision fermentation to produce casein proteins for dairy-free cheese.

– Dutch company Vivici, which has raised over €30 million in 2025 to scale animal-free whey proteins made with microbes.

– UK-based Enough cultivates fungi to create mycoprotein, used in plant-based meat substitutes.

Also, large food companies such as Nestlé and Unilever are partnering with startups to explore microbial protein for mainstream products, seeing the potential for lower-impact ingredients that can appeal to sustainability-minded consumers.

Hurdles

Despite the momentum, microbial protein faces some serious hurdles. The first is, of course, regulation. MicroHarvest has already submitted a full dossier to the European Food Safety Authority seeking approval for human use. The process involves extensive safety and DNA screenings, and while the company is optimistic, approval timelines remain uncertain. Other alternative-protein startups have seen years of delay in Europe, forcing some to launch in more permissive markets such as Singapore.

Cost is another key concern. While microbial fermentation is highly efficient, building large-scale production plants requires significant capital investment. MicroHarvest has announced plans for a 15,000-tonne facility by 2027, more than 40 times its current output, but scaling to that level will test both its technology and its financial backing.

Consumer perception is a further challenge. For example, although microbes are commonplace in familiar foods, the idea of eating “bacteria powder” may not appeal to all shoppers. Industry observers note that how the products are framed, whether as “fermented protein” or as “next-generation ingredients”, could influence public acceptance.

The competitive landscape is also intensifying. For example, dozens of startups are experimenting with different microbes, feedstocks, and fermentation technologies. At the same time, insect protein, cultured meat, and plant-based innovations are all vying for space in the growing alternative-protein market.

What Does This Mean For Your Organisation?

The balance for MicroHarvest and its peers lies in proving they can deliver at scale while keeping costs competitive and building trust with regulators and consumers. If they succeed, microbial proteins could become more than a niche ingredient, offering a reliable and efficient source of nutrition at a time when global demand is set to rise sharply. For UK businesses in particular, this could mean opportunities in supply chain partnerships, retail adoption, and product innovation across both pet and human food markets. It also raises questions for existing agricultural producers, who may need to adapt to the emergence of new protein streams that use fewer resources and appeal to environmentally conscious buyers.

For policymakers and regulators, the challenge will be how quickly they can evaluate and approve these technologies without compromising safety. Investors, meanwhile, will be watching closely to see which companies can move from pilot plants to full commercial output. MicroHarvest’s ambition to open a 15,000-tonne facility in just two years will be one such test.

The future of food will not be decided by a single technology, but microbial protein now has a seat at the table. Whether it becomes a mainstay of diets or remains limited to specialist markets will depend on cost, regulation, and public acceptance. For now, the evidence suggests it has the potential to deliver real sustainability gains, and businesses across Europe and beyond are positioning themselves to find out just how far this promise can go.

Did you know? ChatGPT makes it really easy to share your prompts (and subsequent conversations) by giving you a hyperlink. This video shows you how to collaborate with your colleagues by sending them links to entire prompts/outputs, right in the heart of the platform itself.

[Note – To Watch This Video without glitches/interruptions, It may be best to download it first]

Need a quick answer or idea without waiting? If you’re using GPT‑5, switching to “Fast” mode gives you instant results with minimal delay.

How to:

– Make sure you’re using GPT‑5 in ChatGPT (available to Plus, Team, and Pro users).
– In the model dropdown at the top, select Fast.
– Enter your question or prompt as usual, e.g. “List three ways to improve team productivity.”

What it’s for:

Ideal for simple questions, lists, ideas or light research when you’re short on time and don’t need deeper reasoning.

Pro‑Tip: If the response is too basic, switch to “Thinking Mini” (if you have access to it GPT‑5) or full “Thinking” mode for more detailed insights – each mode balances speed and depth differently.

As employees increasingly snap summer photos on work phones and sync them to corporate cloud storage, UK businesses are facing fresh legal and data protection risks, so this article looks at where the boundaries lie, what the law says, and what employers should do next.

Blurred Lines Between Work and Personal Life

It has become second nature for many employees to reach for their phones during a beach day, family BBQ, or office-social. However, when that phone is company-issued (and backed up to a business-managed cloud) those sunny snapshots can come with unexpected regulatory baggage.

As of 2025, the line between personal and professional device use remains hazy, particularly in organisations without strict mobile device management policies. Whether employees are using work-issued smartphones or accessing business services through their own phones under a bring-your-own-device arrangement, the organisation’s GDPR responsibilities still apply.

For example, if an employee takes a group photo at a summer party using their company iPhone, then syncs it to OneDrive or a shared Google Workspace folder, the image may qualify as personal data. If the photo contains identifiable facial features, it could even fall under the UK GDPR’s stricter rules for special category data.

What Counts as Personal Data and Why It Matters

According to the UK GDPR, personal data refers to any information relating to an identified or identifiable individual. This can include names, locations, and biometric identifiers such as facial images.

Photographs often fall into this category. In a 2023 blog post directed at photographers, the Information Commissioner’s Office (ICO) reiterated that even casual images taken at informal gatherings can qualify as personal data if faces are clearly visible, or if the photo’s metadata reveals identifiable information.

Also, as data protection consultancy URM has warned, many organisations do not realise they are processing special category data when they store or distribute images of individuals. It described this as a potential compliance gap, particularly when personal and work-related photos mix.

This gap has already caused real-world issues. For example (back in 2022) a Midlands-based employer was investigated following a subject access request in which an employee discovered that images shared informally via a work cloud had been stored and potentially processed without lawful basis. Although no fine was issued, the ICO cautioned that such incidents could result in formal enforcement action in future.

GDPR Meets the Summer Sharing Culture

The warmer months typically see a rise in casual image sharing, from staff parties to client events to informal selfies. These images often land, unintentionally, in business systems such as shared drives, messaging apps, or Microsoft Teams folders.

Under UK GDPR, however, even internal-only use of personal data requires a lawful basis. Organisations must also notify individuals that their data is being processed and explain their rights, including the right to object or request deletion.

In practice, this compliance is often lacking. A 2024 study by Harper James Solicitors found that 38 percent of UK SMEs had no documented policy on employee photography or image storage. Of those that did, only 17 percent provided GDPR-compliant privacy notices to staff.

It is not only formal photos that pose a risk. Informal selfies taken on work phones and automatically uploaded to company cloud services may inadvertently become visible to system administrators or be exposed in a data breach. If family members or children appear in these images, the data protection concerns become even more serious.

Cloud Storage

Modern business devices are usually set up to back up automatically to cloud services. While this protects against data loss, it also means personal images taken on company phones may end up stored in corporate systems.

Cloud providers such as Microsoft, Google, and Apple are classed as data processors under the GDPR when they act on behalf of a business. This means that the employer, as the data controller, must ensure that data processing agreements are in place, the data is stored securely, and any international data transfers are lawfully managed.

For example, if an employee’s photo taken on a company iPhone is backed up to an iCloud account controlled by the IT department and hosted outside the UK, the business is legally responsible for ensuring appropriate safeguards are in place. Failure to do so could constitute a breach of Articles 44 to 49 of the UK GDPR.

The ICO has also issued repeated warnings that businesses using unmanaged cloud platforms without formal access controls may be at risk of unauthorised data access, particularly when employees leave the organisation and their accounts are not promptly deactivated.

Subject Access Requests and Administrative Headaches

The right of access, enshrined in the UK GDPR, gives individuals the ability to request any personal data held about them, including images, chat messages, and stored files. Once a subject access request is received, it must be fulfilled within 30 days.

However, this becomes highly problematic for organisations that allow employees to store personal content on corporate systems. For example, if one employee’s personal data is mixed with private material belonging to others, IT teams may be forced to sift through large volumes of photos, chat logs, or cloud folders to redact non-relevant data.

The Data Use and Access Act 2025, which received Royal Assent in June, places further pressure on employers. It introduces more detailed rules on how organisations must segregate personal and business content in employee data collections, particularly in cases where employees have been dismissed or have made legal complaints. Firms without clear systems in place may struggle to comply without incurring significant cost.

BYOD and Blurred Accountability

Even when companies operate a bring-your-own-device policy, the legal responsibilities do not disappear. Once a personal phone is used to access work platforms such as Outlook, Teams, or SharePoint, any data handled through those services becomes the employer’s responsibility under UK GDPR.

As legal advisors at Sprintlaw UK note, employers must still have robust policies in place to ensure that business data is protected and employees understand what constitutes acceptable use.

This is especially relevant in summer, when employees may inadvertently upload personal photos to business systems while attempting to clear phone space or share files. If a breach occurs and it is found that no technical safeguards were in place, the ICO may hold the business, not the individual, accountable.

What UK Employers Should Consider

Despite the complexity, there are several practical actions employers can take to reduce the risk of summer photo mishaps. For example:

– Organisations should audit company-managed phones and cloud platforms to determine whether personal data, including images, is being stored inadvertently. They should also review and update default sync settings on devices during onboarding and offboarding, and introduce or reinforce clear policies about acceptable personal use of company devices.

– Mobile device management tools should be used to isolate or wipe personal data when necessary. Businesses may also choose to restrict cloud sync functions to business-only folders, or disable photo uploads altogether.

– It is important to communicate clearly with employees that company systems are not private, and that data may be accessed in the event of a subject access request. Employers should issue GDPR-compliant notices explaining how staff photos may be used, especially in internal communications or promotional materials.

– Staff should be given training to help them understand what qualifies as personal data and how to avoid inadvertent data breaches.

This combination of policy, technology, and communication can help organisations avoid compliance pitfalls while maintaining a respectful balance between employee privacy and corporate accountability.

What Does This Mean For Your Business?

Organisations that fail to address these issues head-on could be exposing themselves to far more than just reputational damage. The legal and operational consequences of mishandled personal data, particularly where summer photos are concerned, are growing more tangible, not less. The rise in subject access requests, tighter scrutiny from the ICO, and the introduction of new legislation such as the Data Use and Access Act are all signs that regulators expect more from employers when it comes to separating business and personal data.

For UK businesses, the message is pretty clear. Even low-risk behaviours, like taking a photo at a team BBQ, can become governance headaches if the right controls are not in place. That does not mean personal moments need to be banned from the workplace entirely, but it does mean they must be treated with the same care as any other form of personal data. Failing to do so could leave businesses scrambling to comply with access requests, justify their data retention practices, or explain gaps in policy during an ICO investigation.

The implications extend beyond legal teams and IT departments. HR leaders, department heads, and even marketing teams who reuse internal images must also understand their responsibilities under GDPR. Employees themselves, meanwhile, need clearer guidance about what is and is not appropriate when using work devices for personal use.

Maintaining trust between employees and employers, therefore, depends on clarity, not guesswork. In an age where photos, chats, and uploads are generated with barely a second thought, organisations that take a proactive, structured approach will be far better positioned to navigate the grey areas. Getting this right now is not just about avoiding enforcement, but it is about future-proofing data governance in a working world where the line between personal and professional continues to shift.

Business travel can expose individuals to serious cyber threats when connecting to hotel or airport Wi-Fi, so here we explain how to stay secure using practical precautions such as VPNs and mobile tethering.

Why Public Wi-Fi Is a Hidden Risk for Travellers

Public Wi-Fi is one of the most widely used digital conveniences among UK business travellers. Whether in airports, hotels, cafés or train stations, free internet access is often seen as a quick and easy way to stay productive while on the move. But security experts are warning that many of these networks are poorly protected or actively targeted by cyber criminals looking to intercept data or install malware.

A Norton survey found that 60 per cent of travellers were already connecting to public Wi-Fi at least once a week in 2023, with nearly half admitting they’d used unsecured networks to check work emails or log in to sensitive accounts. More recently, a 2024 analysis by cybersecurity firm Inflection Point confirmed that around 70 per cent of business travellers had encountered some form of cyber threat while away from their usual workplace.

For UK businesses in 2025, the operational risk is even greater. Remote access to corporate tools is now standard, while business travel has rebounded strongly across Europe and beyond. Insecure public networks can easily be exploited to steal credentials, compromise cloud accounts or gain backdoor access to business systems. The threat is no longer limited to high-risk environments, it’s embedded in everyday travel routines.

How Criminals Target Public Wi-Fi Users

The main security risk with public Wi-Fi is that it often lacks encryption. This means that the data sent between your device and the router can be intercepted by third parties using basic equipment. One of the most common tactics is known as a man-in-the-middle attack, where a hacker places themselves between you and the network to eavesdrop on your activity or harvest personal and company data.

Rogue Wi-Fi Hotspots

Another growing tactic is the use of so-called “evil twin” networks. These are rogue Wi-Fi hotspots set up to mimic a legitimate service, often with names like “Hotel_WiFi_Guest” or “Free_Airport_WiFi”. Once connected, users may be redirected to phishing pages or silently monitored. According to a recent report from US-based WatchGuard Technologies, it takes as little as £400 worth of off-the-shelf kit to create one of these fake hotspots.

Even genuine Wi-Fi networks can be a risk. For example, hotel systems are often shared across hundreds of users and rarely updated or segmented, making them soft targets. Airports are also ideal hunting grounds for criminals, thanks to the large volume of fast-moving, distracted users and international visitors unfamiliar with local security risks.

What Experts Recommend for Safer Connections

Security experts agree that the safest approach is to avoid public Wi-Fi altogether where possible. However, when access is essential, there are some practical steps that can significantly reduce the risk.

VPNs

The most important measure is to use a virtual private network (VPN). A VPN encrypts your internet traffic, so even if someone intercepts the connection, they won’t be able to read or tamper with your data. As Paul Bischoff, consumer privacy advocate at Comparitech, explains: “A VPN creates a secure tunnel that protects your traffic from snoopers on unsecured networks. For travellers, it’s an essential layer of defence.”

There are dozens of business-grade VPN providers on the market, with options like NordVPN, Surfshark and ExpressVPN all offering apps compatible with laptops and mobile devices. However, not all VPNs are equally secure. Free versions, in particular, may collect data or lack proper encryption protocols.

Tethering

Another option is mobile tethering, which involves connecting a laptop or tablet to the internet via your phone’s 4G or 5G data rather than using Wi-Fi. This method uses your mobile provider’s encrypted network and is generally far safer than connecting to unknown hotspots. Most smartphones have built-in hotspot functionality, though business travellers should check their data limits before relying on this approach abroad.

In situations where public Wi-Fi must be used, it’s also wise to:

– Avoid online banking, file sharing and sensitive logins.

– Stick to websites using HTTPS (look for the padlock symbol in your browser).

– Turn off auto-connect and file sharing features.

– Set the connection type to ‘Public’ in your device settings.

– Keep all apps, browsers and antivirus software up to date.

How Mobile Habits Can Create Unintended Exposure

A recent study by the UK’s National Cyber Security Centre (NCSC) highlighted how user behaviour plays a key role in exposure to cyber threats. In their analysis of business travel patterns, they found that users often relax security habits when on the move, especially during summer holidays or while rushing through airports.

For example, many travellers leave their phones or laptops unlocked, or stay logged in to work systems and cloud services. Others fail to check the legitimacy of a network before connecting, relying on familiar-sounding names. These small lapses, while understandable, can make it much easier for attackers to gain access.

The NCSC advises that staff travelling for work should be briefed on digital hygiene protocols and given the tools needed to work safely while mobile. This might include rolling out managed VPN solutions or providing mobile data allowances specifically for tethering.

The Cloud

One other important aspect to consider is that businesses are now increasingly reliant on cloud-based tools and remote access platforms, from Microsoft 365 and Slack to enterprise CRM systems. This has brought major flexibility gains, but it has also raised the stakes when it comes to endpoint security. For example, a compromised login from a hotel room abroad could open the door to serious breaches back home.

The UK’s Information Commissioner’s Office (ICO) warns that data breaches involving personal or client information (even if caused by insecure Wi-Fi use) can lead to investigations and fines under the UK GDPR regime. For regulated sectors such as legal, healthcare and finance, this risk is even more acute.

Reputational Damage Risk

There’s also reputational damage to consider. In one documented incident investigated by FireEye, a consultant’s credentials were stolen via a compromised hotel Wi-Fi network linked to the Russian espionage group APT28 (also known as Fancy Bear). The attackers exploited hotel routers to harvest guest login details, and those credentials were later used to access corporate systems remotely. Although no malware was installed on the consultant’s device, the breach led to serious trust issues for the consultancy firm involved, who were forced to issue apologies to clients and implement stricter travel security protocols.

Simple Precautions That Reduce the Risk for Everyone

Despite the risks, public Wi-Fi use isn’t going away anytime soon, but business travellers can take control with a combination of awareness and simple protective tools. In addition to using a VPN or mobile tethering, businesses should ensure that staff understand how to recognise suspicious networks and what to do if they think a device has been compromised.

MFA

The NCSC also recommends that all business devices use multi-factor authentication (MFA) and endpoint security tools to minimise exposure. Organisations should also maintain clear reporting lines in the event of a suspected breach so that action can be taken quickly.

Whether on a short-haul trip to Brussels or checking emails from a hotel bar in Singapore, a few small changes in behaviour can significantly reduce the likelihood of an attack. With cyber criminals becoming more sophisticated each year, secure connectivity is now essential travel kit.

What Does This Mean For Your Business?

Cyber security on the move is no longer a niche concern for IT teams. As this summer’s travel season gathers pace, the reality is that every employee logging on from a hotel, airport or conference centre is a potential entry point for a wider breach. Public Wi-Fi remains widely used but poorly understood, and attackers continue to exploit that gap with tactics that are cheap to deploy but costly to recover from.

For UK businesses, the stakes are clear. A single compromised login can lead to regulatory consequences, reputational damage and financial loss. This is especially true in sectors where client confidentiality, personal data or financial systems are involved. Relying on convenience over security, particularly during travel, risks undermining all the investment made in other parts of the company’s digital infrastructure. However, as this article has shown, the tools to mitigate that risk already exist. VPNs, mobile tethering, MFA, and well-informed staff are not just best practice, they are now baseline requirements for secure hybrid working.

What matters next is awareness and consistency. Companies must ensure that secure connection policies are more than a tick-box exercise, especially as international travel becomes routine again.

UK firms are using summer downtime to run cybersecurity quizzes that improve staff awareness, reduce phishing risks, support onboarding, and build a stronger security culture ahead of the September reset.

Why Summer Is the Time to Act

It may seem counterintuitive to launch a cybersecurity initiative during the holiday season, yet security professionals say this is exactly the right time to do it.

Staff returning from leave are often catching up on emails, resetting routines, and switching back into work mode. That makes them particularly vulnerable to phishing emails, credential theft, and misjudged clicks. For example, according to CybSafe, human error still accounts for 95 per cent of successful cyber attacks, with fatigue, distraction and complacency frequently involved.

A 2024 KnowBe4 report found that staff were 29 per cent more likely to click on phishing links in the first week after returning from time off. With many UK employees taking annual leave during July and August, the September return presents a high-risk window.

That is why many IT and compliance teams are opting to launch a light-touch but high-impact quiz or awareness campaign during summer, or just at the end of the holiday period. The aim is to create a timely reset, not a compliance burden. As CybSafe puts it, “It’s like sharpening the tools before we go back into the busy season.”

Back to Business and Back to Basics

The term “back to school” may be figurative, but the principle stands. September often marks a fresh start, Q4 planning begins, new projects launch, and there is an influx of new joiners or temporary staff.

That makes it a natural moment to remind employees of core cyber hygiene habits. Password security, phishing recognition, two-factor authentication, and safe use of cloud platforms are all common focus areas. Rather than relying on lengthy and formal training sessions, many businesses are shifting towards short and interactive formats that nudge behaviour and boost recall.

Awareness Quizzes

For example, firms including CybSafe, KnowBe4 and ESET now offer ready-made awareness quizzes tailored to workplace risks. These tools test employees’ understanding of phishing techniques, device hygiene, credential security, and social engineering tactics. Many offer features such as internal benchmarking, anonymised scoring by department, and follow-up resources based on quiz performance.

Quizzes typically include multiple choice or scenario-based questions, with questions such as, “You receive a Teams message from your manager with an urgent link to an invoice. What should you do?” Feedback is usually immediate, and correct answers are explained to reinforce good habits.

To be effective, questions need to reflect real-life risks. For example, a phishing section might include, “This email asks you to ‘urgently verify your payroll details’ using a link. What should you check first before clicking?” A password hygiene question could ask, “Which of these is the most secure password: Pa55word!, £S78qp*4, John1980, or MyCompany123?” Other useful topics include recognising suspicious attachments, safe use of public Wi-Fi, and what to do if you suspect your laptop has been compromised.

For remote or hybrid workers, practical scenarios can help highlight overlooked risks. One example might be, “You’re working from a café and need to join a video call. What is the safest way to connect?” By focusing on realistic decisions, these questions build familiarity with threats and give staff confidence to make better choices.

As CybSafe notes, “Security awareness doesn’t need to be dry. Gamification increases engagement by up to 60 per cent, and we see higher retention when people enjoy the format.”

New Staff, New Risks

Another reason why late summer is an ideal time for awareness activity is the volume of onboarding across many sectors. Whether it is school leavers entering the workforce or internal moves following the holiday period, new and transitioning employees are consistently shown to be more vulnerable.

Research cited by Keepnet Labs shows that new hires are 44 per cent more likely to click on phishing links, and 71 per cent more susceptible to social engineering tactics within their first three months. This is often due to unfamiliarity with tools, eagerness to make a good impression, and uncertainty around what constitutes suspicious behaviour.

Embedding a cyber quiz into induction materials or using it as part of a post-holiday reset can help mitigate this. According to Keepnet, “Embedding quizzes into everyday culture, not just annual training, helps build shared ownership of cyber hygiene. Awareness becomes a team asset, not an individual chore.”

Campaigns That Stick

Many UK firms are using seasonal branding and lighter messaging to increase participation. For example, naming the initiative “Back to Business: Cyber Reset” or “Security September” helps frame the content as helpful and timely, rather than bureaucratic.

Typical campaign assets include a short online quiz, accompanying infographics or posters on common threats, and a follow-up message sharing results or next steps. Some businesses use this moment to revisit hybrid working guidance or flag updates to bring-your-own-device (BYOD) policies.

The Cyber Security Breaches Survey 2025, published by the Department for Science, Innovation and Technology, highlights just how common incidents remain. 43 per cent of UK businesses reported a cyber breach or attack in the past 12 months, but among medium-sized businesses, that figure rose to 70 per cent, and for large organisations, to 90 per cent.

The same report found that businesses with regular staff training and awareness campaigns were more likely to detect and respond to threats promptly. That strengthens the case for low-friction, repeatable tools like quizzes, especially when timed around known periods of vulnerability.

Metrics That Matter

It seems that quizzes can also generate useful insights. For example, platforms such as CybSafe and KnowBe4 offer dashboards showing which questions are commonly missed, which teams or roles may need additional support, and how engagement varies over time. That helps IT, HR and compliance teams refine their approach and demonstrate value to leadership.

These insights can also support wider objectives. For companies pursuing Cyber Essentials or ISO 27001 certification, regular awareness campaigns count as demonstrable evidence of good cyber governance and staff engagement with security.

Crucially, quizzes offer an approachable format. For example, as CybSafe research shows, campaigns framed around positive reinforcement rather than fear or punishment consistently lead to better uptake, stronger recall and healthier behaviours across the organisation.

Real-World Findings Underscore the Risk

Recent UK data reinforces the need for continued staff education. In the Cyber Security Breaches Survey 2025, phishing was identified as the most common attack method by 85 per cent of affected businesses. 65 per cent said it was the most disruptive type of incident they faced.

In the SME sector, a study by GetApp UK found that 94 per cent of phishing attacks arrived via email, and more than two-thirds of businesses had faced multiple attempts in a short timeframe. The simplicity of phishing makes it hard to block completely through technical defences, placing the onus back on staff to spot and avoid traps.

Also, the risk is not limited to newcomers. For example, as a UK workplace study reported by Insurance Edge found, managers were twice as likely as junior staff to fall for phishing scams, despite being more familiar with systems and policies. That suggests even experienced employees benefit from regular and practical reminders.

Taken together, these findings reinforce why so many UK businesses are choosing to run fun, quiz-based cyber campaigns during the summer, to catch complacency before it becomes costly.

What Does This Mean For Your Business?

This approach is not about ticking boxes. It’s actually about creating a security culture that works with people, not against them. For example, quizzes seem to offer a simple, low-pressure way to reset expectations, surface knowledge gaps, and refocus attention on the behaviours that actually reduce risk. They are also easy to run and repeat, which gives organisations more flexibility than formal training cycles often allow.

For UK businesses, the benefits are both immediate and long-term. A short, well-timed quiz can reduce phishing risk, especially among returning staff and new joiners, while also demonstrating good governance to customers, insurers and auditors. When supported by the right follow-up and metrics, these tools become part of a wider risk management strategy, not a standalone event. In sectors where compliance, reputation or customer trust are central, that distinction matters.

The impact also extends beyond the IT team. HR departments, line managers and internal communications teams all have a role to play in making cyber awareness relatable and consistent. Using seasonal campaigns or friendly team challenges helps embed these habits across different parts of the business, rather than leaving them siloed. That shift is key if organisations want security awareness to feel like part of the culture, not just a requirement.

Suppliers, partners and clients also benefit from this raised awareness. In an interconnected economy, a weak link in one organisation can expose others to unnecessary risk. By encouraging regular, engaging training, UK firms not only protect their own operations, but also contribute to a more resilient digital environment across their wider supply chain.

The timing matters too. With rising attack volumes and continued pressure on internal resources, companies that take advantage of the quieter summer period to prepare for Q4 are putting themselves on the front foot. Awareness may not stop every attack, but it can make the difference between a quick recovery and a costly incident. That is why summer quizzes are gaining momentum, and why more organisations are choosing to turn a seasonal lull into a strategic advantage.