By Jeff Aiken, Cyber Security Manager
When it comes to cybersecurity, your people are both your greatest asset and your greatest vulnerability. The data is painfully clear on this: 95% of data breaches in 2024 involved human error, and 88% of cyberattacks link to human mistakes. Our experience serving hundreds of customers aligns with these stats.
Addressing the critical human element of cybersecurity requires a comprehensive approach built on three essential pillars:
1. Training: Building Genuine Awareness
Security awareness training can’t be a compliance checkbox; it needs to be ongoing and engaging. Some organizations treat training as one-and-done: employees rush through annual modules and promptly forget everything.
According to Mimecast’s State of Human Risk Report, while 87% of organizations say training has helped employees spot attacks, 66% remain concerned about insider data loss. The problem? Training often lacks relevance and reinforcement.
Effective training includes regular phishing simulations reflecting current tactics, scenario-based learning relevant to employees’ roles, and recognition training for sophisticated social engineering. Notably, just 8% of employees account for 80% of security incidents—targeted training for high-risk individuals can dramatically reduce vulnerability.
Interestingly, 86% of employees say they can confidently identify phishing, yet nearly 50% admitted to falling for scams. This overconfidence creates dangerous blind spots.
2. Cybersecurity Policies and Procedures: Clear Guidelines for Everyone
Just as retail businesses have detailed cash handling procedures, organizations need comprehensive cybersecurity policies that everyone understands. These shouldn’t be buried in 100-page handbooks—they need to be clear, accessible, and regularly reinforced.
Good policies cover the basics: handling sensitive data, verifying identities, reporting suspicious activity, and acceptable use of resources. But they also need to explain the “why.” When employees understand that verifying a caller’s identity isn’t red tape but a critical defense against social engineering, they’re more likely to follow through. With collaboration tools seeing a 7% increase in attacks and 79% of organizations citing new security loopholes, policies must extend beyond email to cover all communication platforms.
The key is to make policies part of regular, ongoing conversations. When someone follows verification procedures and catches an attack, celebrate it. When someone takes a security shortcut, address it immediately—not as punishment, but as a teaching moment.
3. Consequences: Taking Security Seriously
If cybersecurity is truly a critical business priority—comparable to workplace safety or financial controls—we need to treat it that way. That means clear, documented consequences for policy violations.
This isn’t about being punitive. Consider a three-tier approach like this: The first incident triggers additional training, the second incident results in a formal warning and mandatory coaching, and the third incident leads to serious consequences, potentially including, if circumstances warrant it, suspensions or termination.
The specific framework matters less than having one. Employees need to know security policies aren’t suggestions—they’re requirements. And organizations must apply consequences equally across all levels. When executives get a free pass, it undermines everything.
Why This Matters Now
The threat landscape continues evolving at a breakneck pace. Attackers use AI to craft convincing phishing emails and social engineering tactics that exploit psychological vulnerabilities.
For many businesses, one successful attack could be catastrophic. At Emerge, we’ve spent over two decades helping organizations strengthen security. While we invest heavily in enterprise-class tools and monitoring, we know technology alone isn’t enough. The most sophisticated security platform can’t protect you if an employee hands over credentials on a phone call.
Building a Security Culture
Creating a security-conscious culture requires consistent messaging from leadership, regular reinforcement of principles, celebrating employees who catch threats, and honest communication about why security matters.
Think of workplace safety in manufacturing. Nobody questions the consequences of violating safety protocols—everyone understands that shortcuts can lead to injuries. Cybersecurity deserves the same seriousness.
The problem isn’t people, per se, but rather untrained, uninformed, and unaccountable people. The solution is to invest in their development, provide clear guidance, and treat security with the same seriousness we apply to every other critical business function.
Want to learn more about how Emerge can help strengthen your organization’s security posture through technology, training, and best practices? Contact us to start a conversation with our team.