CyberCoach and the M&S Cyberattack: A Missed Opportunity

The recent cyberattack on Marks & Spencer plc (M&S), attributed to the hacking group Scattered Spider, highlights the critical need for comprehensive and psychologically smart cybersecurity training across all levels of an organization. The attack, which reportedly cost M&S up to £300 million in lost profits and wiped more than £600 million off its market capitalization, was rooted in social engineering tactics. These involved impersonating employees and tricking internal help desk staff into handing over credentials—an attack vector that is preventable with targeted human-centric cybersecurity training.

Enter Cult Security Oy, a Finnish cybersecurity company founded in 2018. Their flagship product, CyberCoach, exemplifies a modern, behaviorally-driven approach to cybersecurity awareness. CyberCoach specializes in addressing precisely the kind of vulnerabilities that the M&S breach exposed: the human element.

Rather than focusing solely on technical defenses, CyberCoach provides curated, role-specific training that is both engaging and psychologically safe. It recognizes that a company lawyer, a help desk clerk, and a warehouse employee require different kinds of training to stay vigilant. This differentiation is critical when considering that the M&S breach stemmed from an IT help desk employee inadvertently giving away credentials—a situation that could have been mitigated through simulated social engineering scenarios and frequent, tailored training modules.

Cult Security has also overcome a common roadblock in large corporations: resistance from IT departments to new software. CyberCoach integrates seamlessly with platforms like Microsoft Teams and Slack, eliminating the need for complex installations or IT oversight. This frictionless deployment allows for widespread training without burdening already overstretched IT departments.

From a cost perspective, CyberCoach is competitively priced—especially when juxtaposed against the multimillion-pound consequences of a successful cyberattack. Its use of AI to adapt content in real time enhances user relevance and engagement, further reinforcing its effectiveness. Additionally, the platform collects minimal personal data, ensuring GDPR compliance and fostering trust among users.

Cult Security understands that cultivating a cyber-aware culture requires more than one-off training sessions. It demands continuous education that fits naturally into daily workflows, avoids “security fatigue,” and keeps pace with evolving threats. This is especially important considering groups like Scattered Spider conduct extensive research into their targets, often impersonating staff based on information gleaned from public data and data brokers. CyberCoach prepares employees to recognize and respond to these nuanced, psychologically manipulative attacks.

Had M&S adopted a platform like CyberCoach, it could have substantially reduced the risk of breach by equipping frontline employees with the cognitive tools and confidence to challenge suspicious activity. The investment would have been a tiny fraction of the losses ultimately suffered.

In an era where ransomware gangs operate with increasing sophistication and persistence, human error remains a leading cause of cyber incidents. CyberCoach offers a scalable, smart, and employee-centric solution that could help organizations like M&S transform their staff from the weakest link into the first line of defense.

CyberCoach and its parent company Cult Security do indeed have competitors that operate in the cybersecurity awareness training and human-centric cyber risk management sectors. Their competitors are generally larger, globally large firms – here are the main ones:

🔐 Top Global Competitors in Security Awareness Training

1. KnowBe4 – Headquarters: Clearwater, Florida, USA

Overview: The world’s largest integrated platform for security awareness training and simulated phishing. KnowBe4 trains millions of users globally.

Strengths:

Massive content library in multiple languages
Robust phishing simulation tools
Strong analytics and reporting
Clients: Governments, Fortune 500 companies, SMEs

2. Proofpoint Security Awareness Training – Headquarters: Sunnyvale, California, USA

Overview: A major player in enterprise-grade security solutions, including targeted training.

Strengths:

Tightly integrated with Proofpoint’s threat intelligence
Granular reporting and threat-driven training
Clients: Large enterprises across finance, healthcare, and education

3. Cofense (formerly PhishMe) – Headquarters: Leesburg, Virginia, USA

Overview: Specializes in phishing defense through employee-driven simulations.

Strengths:

Real-time phishing simulations
User-driven phishing intelligence (Cofense Reporter)
Strong focus on reporting and SOC integration

4. Terranova Security (a Fortra company) – Headquarters: Montreal, Canada

Overview: Offers multilingual training programs and custom modules for compliance and awareness.

Strengths:

High-quality localized content
Integration with Microsoft and other platforms

5. Hoxhunt – Headquarters: Helsinki, Finland (direct Finnish competitor)

Overview: A fast-growing startup focusing on gamified phishing simulations and user behavior analytics.

Strengths:

Behavioral science-driven design
Strong gamification elements
Personalized learning paths
Notable overlap: Similar focus on psychological safety and minimal IT overhead

🧠 Niche and Emerging Competitors

These offer specialized or regional alternatives:

SoSafe (Germany) – Strong in the EU, emphasizes GDPR-compliant training.

Living Security (USA) – Interactive, team-based training modules.

Wombat Security (acquired by Proofpoint) – Focused on microlearning.

📌 Positioning of CyberCoach by Cult Security

CyberCoach differentiates itself by:

Role-based and AI-curated content tailored to job function
Focus on psychological safety and privacy (e.g., minimal personal data collection)
Frictionless deployment via MS Teams/Slack integration
Finnish/EU roots offering GDPR-native design and competitive pricing

Summary Table