Ask ChatGPT or Google what’s the single biggest cause of cybersecurity breaches, and they’ll tell you unequivocally: ‘human error’.
In other words, we’re to blame. But while people are often labelled the weakest link, I believe we need to turn this characterisation on its head.
Instead of pointing the finger of blame at people, they should be viewed as the first line of defence. Instead of seeing them as risks to be managed, they should be regarded as a key security asset. Why? Because a good security culture starts with people, and technology comes after.
For leaders, this means binning any attachment to old-school, one-size-fits-all awareness campaigns that lecture instead of engage the target audience. Leaders must adopt a different approach that starts by accepting human frailty from the outset and designing awareness around it. And the first thing I would do is to be open and transparent about the problems we face.
Seeing the threat for themselves
As most people are completely unaware of what happens behind the scenes to keep organisations safe, you need to show them the scale of the problem. While a visit to a security operations centre may be impractical, a live feed with links to a security dashboard would show exactly what’s happening behind the scenes. No poster campaign could ever do that.
Give people the tools to help themselves
Once they understand the threat they face, they must be given the tools, context and confidence to act without fear of recriminations when something goes wrong – mistakes happen. Since we can’t stop them, the next best step is to catch any threat early and learn from them.
In some cases, this might mean adding a simple ‘Report’ button to make it easier and quicker for people to flag any rogue emails. It’s crucial to remember that when people feel trusted, they’re more likely to stop hiding errors and start reporting them. This shift in mindset is where resilience begins.
Make awareness continuous and connected
I know October is Cyber Security Awareness Month, but what about the rest of the year? Awareness isn’t something you can ‘do’ annually and bin it off for the other 11 months of the year. What’s more, it has to be planned properly to keep people interested. For example, you could try TikTok-style videos, internal updates and peer-to-peer sessions or create a network of ‘security champions’ in different departments to help promote best practices, provide feedback on local issues and make cybersecurity conversations part of daily culture.
I would also look to employ creative experts in communications including marketing, social media, and public relations to develop a continuous programme of events. If there’s something in the news, such as a major breach or a new twist on artificial intelligence-generated phishing emails or deepfake audio and video scams, then they are best equipped to get that story out there. The goal of all awareness training is rhythm instead of repetition to keep people switched on.
Train for reality, not routine
As I said earlier, generic, one-size-fits-all training doesn’t change behaviour. Instead, we need to tailor the training for specific departments. For instance, finance teams should practise spotting fraudulent invoices, while HR should focus on rogue CVs and the safe handling of personal data.
Then we need to make it real by using a controlled cyberattack simulation or scenario-based drills that mimic real threats. When people see their own risks reflected and experience the stomach-churning feeling of a simulated breach alongside the pressure to respond in real time, awareness becomes real.
These exercises can be extremely powerful because they reveal more than technical weaknesses. Putting people on the spot makes them confront situations meaningfully, so that, should the worst happen, they know when to act, who to inform and how to communicate under pressure.
Importantly, we should ensure everyone is treated equally, including people right at the top of your organisation.
Measure behaviour, not attendance
If you manage to accomplish even part of this, there’s a temptation to sit back and acknowledge a job well done. But then you would be guilty of falling into the complacency trap because ticking the ‘training complete’ box means nothing if behaviour doesn’t shift. This means measuring things that are important, such as how quickly employees report suspicious activity, how many fall for phishing simulations and whether communication lines improve after incidents.
By measuring what matters, you can start to plot progress – or not – with insights that will help shape and inform future awareness training. Some organisations now track ‘time to report’, the time between a phishing attempt landing and someone flagging it. Reducing this window from hours to minutes can transform risk exposure.
Ultimately, what you’re looking to achieve is an approach to cybersecurity as automatic as locking your front door or buckling a seatbelt. That means leaders modelling good behaviour, peers calling out bad habits and everyone seeing cybersecurity as part of doing their job well. When people feel part of the overall solution, they stop being the weakest link and start becoming an integral part of your defence strategy.
About the Author
Sascha Giese is SolarWinds Tech Evangelist™. SolarWinds began with two IT professionals trying to solve complex problems in the simplest way. Today, we still take pride in developing deep, real-world understanding of the challenges our customers face. That’s how we deliver intuitive, time-saving solutions and speed-to-value like nobody else.
