How Curtins built a more mature, security‑first culture

How proactive strategy, leadership commitment and targeted training empowered Curtins to strengthen its security posture

Takeaways

• Curtins proactively strengthened its security culture before facing a crisis, recognizing potential risks early on.
• Deploying Barracuda Email Protection helped the IT team address impersonation attacks and improve email security beyond Microsoft 365’s native filters.
• Ongoing security awareness training was leveraged not just as a requirement, but as a driver for lasting behavioral change across the organization.
• Curtins’ journey demonstrates the impact of combining technology, leadership engagement and employee education to build a resilient security posture.

Many organizations don’t realize that inadequate security is putting them at serious risk until something goes very wrong. But Curtins was able to perceive the risk and take effective action before they faced a crisis.

Curtins is a 65‑year‑old engineering consultancy with more than 400 employees and a footprint spanning 14 offices across the UK and Ireland. They’re known for their award‑winning work in the built environment. But they’ve also been quietly building something just as important on the security side. The full case study tells the whole story, but here are a few features of their journey worth highlighting.

A turning point for a small IT team

When Curtins first deployed Barracuda Email Protection, it wasn’t during a crisis. It was during a moment of clarity. Their small IT team had been handling a rising tide of impersonation attacks, low security awareness levels across the business, and the feeling that, despite everyone’s best efforts, too many malicious emails were sneaking through Microsoft 365’s native filters.

IT Director David Price is clear-eyed about the fact that security was a low-priority item for Curtins at the time. But thanks to his team’s efforts — and to the visibility and results they get from Barracuda Email Protection — that’s now changed.

“Where we sit today, I’m confident to say [cybersecurity] is right up there, if not number one, within the business. The fact that [senior leadership] are challenging me and talking about it proves that we’re doing the right thing. We’re doing our jobs correctly.”

— David Price, IT Director, Curtins

Security awareness training that moved the needle

One of the standout pieces of their journey is how they used Barracuda Email Protection’s built‑in security awareness training to jump‑start cultural change. Curtins didn’t approach training as a one‑and‑done obligation. They leaned into it as a way to change behavior.

As David said, the security training features “continue to help embed best practices into everything Curtins employees do.” That demonstrates a strong understanding of what it takes to benefit fully from security awareness training and transform the culture.

Time recovered, clarity gained

According to David, the automated incident-response and other capabilities of the Barracuda platform ended up saving their IT team four to eight hours every week in manual threat‑chasing and cleanup work.

“Barracuda has freed up our team to work on higher value, long-term projects designed to make things better and more efficient for our staff. And by improving the overall security posture, we’ve been able to lower our insurance premiums.”

— David Price, IT Director, Curtins

A maturing posture, one step at a time

One thing the Curtins story reinforces is that cybersecurity maturity isn’t a switch you flip. It’s a progression. When you read the case study, you’ll notice how their board’s involvement deepened, how employees became more aware, and how certification milestones like UK government-backed Cyber Essentials Plus became part of their ongoing momentum rather than a finish line.

The difference between where they started and where they are today is stark — not because of one dramatic event, but because of a series of thoughtful decisions.

Follow the full Curtins journey

To get a lot more detail about the challenges Curtins were facing, what surprised them most, the specific threats they were seeing, and how their approach evolved as their security posture matured, be sure to download the full case study. Especially if you have a small IT team and a C-suite that could stand to focus more on cybersecurity, there’s a lot to be gained there.