IN BRIEF:
• Recognizing employees as the cornerstone of cybersecurity, organizations must shift from tech-centric defenses to fostering a vigilant, security-aware culture.
• Comprehensive education and behavioral change strategies are essential to mitigate human-related security risks and reinforce a collective approach to cybersecurity.
• A balanced strategy that combines technological tools with human oversight and continuous cultural development is key to maintaining a resilient cybersecurity posture.
Cybersecurity threats are more sophisticated and pervasive than ever. While companies invest heavily in advanced technology and security protocols, the most critical line of defense consists of their own employees. Despite having robust security measures in place, organizations frequently find themselves vulnerable due to human error, negligence, or a lack of awareness. This reality underscores the urgent need for a shift in focus — from solely relying on technology to cultivating a culture where every employee actively contributes to cybersecurity.
THE CRITICAL ROLE OF HUMAN BEHAVIOR
The prevalence of cyberthreats in our interconnected world is undeniable, and the assumption that technology alone can safeguard information security and privacy is a misconception. A security-conscious culture within an organization is essential to effectively complement and enhance the technical safeguards already in place.
IT risk management, therefore, must be a holistic practice that not only includes technological solutions but also addresses the human factors that significantly influence the security landscape.
HUMAN ERROR AND SECURITY BREACHES
Human error continues to be a significant contributor to security breaches, with recent statistics from the 2024 Verizon Data Breach Investigations Report indicating that 68% of breaches involve some form of non-malicious human element. According to IBM, the financial repercussions are staggering, with the global average cost of each data breach in 2024 reaching $4.88 million — the highest total ever recorded. This figure reflects direct financial losses and encompasses the long-term reputational damage that organizations suffer following a breach.
Case studies from various industries have shown that breaches often stem from a lack of awareness or negligence, underscoring the importance of addressing human error as a critical component of cybersecurity strategies.
HUMAN BEHAVIOR IN CYBERSECURITY
Delving into the psychological and behavioral aspects of cybersecurity reveals that human actions are often the weakest link in security chains. Common risky behaviors such as password reuse, oversharing on social media, and susceptibility to phishing and social engineering attacks can significantly compromise an organization’s security. To effectively mitigate these risks, it is imperative to understand the underlying motivations and cognitive biases that drive such behaviors and to develop targeted strategies that promote secure practices.
To combat the risks associated with human behavior, organizations must implement comprehensive and continuous education programs that raise awareness about the dangers of insecure practices and actively engage employees in adopting and maintaining secure habits. These programs should be dynamic, incorporating real-life scenarios and practical exercises that resonate with employees and foster a sense of personal responsibility for cybersecurity.
SECURITY-CONSCIOUS CULTURE
Creating a security-conscious culture within an organization begins with the development of engaging and effective training programs. These programs should be designed to capture the attention of employees, providing them with the knowledge and skills necessary to recognize and respond to cybersecurity threats. Leadership commitment is crucial in reinforcing the importance of these programs, ensuring that security awareness is not just a one-time event but an ongoing priority.
A human-centered approach to designing security processes and IT risk management is essential. By considering the user experience and incorporating principles of secure-by-design and human-centered design, organizations can create systems and processes that naturally encourage secure behaviors. The promotion of security champions within teams can also further embed security awareness into the fabric of business operations.
The responsibility for maintaining a secure environment extends beyond the cybersecurity function or the Chief Information Security Officer (CISO). It is a collective responsibility that requires the engagement and participation of every employee. By instilling a culture where security is viewed as a shared obligation, organizations can create a more resilient and vigilant workforce capable of defending against cyberthreats.
TECHNOLOGY AND HUMAN OVERSIGHT
While technology plays a vital role in supporting good security habits through tools such as two-factor authentication and password managers, human oversight remains indispensable. Employees must be trained to understand the limitations of these tools and to remain vigilant in their daily activities, ensuring that security practices are consistently applied.
The balance between automating security processes and maintaining human oversight is particularly important in the context of Zero Trust models. These models, which integrate privacy, security, and cyber resilience, rely on a combination of technology and human insight to verify trustworthiness and manage access to sensitive resources.
Evaluating the effectiveness of security awareness programs is critical to ensuring that they are meeting their objectives. Organizations should employ strategies for continuous improvement, staying abreast of emerging threats and adapting their programs to address the evolving cybersecurity landscape.
SECURING THE FUTURE
Fostering a culture of security and privacy awareness is a collective endeavor that requires the active participation of every individual within an organization. By integrating the human element into IT risk management strategies, organizations can build a resilient defense against cyberthreats.
Continuous education and cultural evolution are imperative in promoting this balanced approach in risk management, ensuring that organizations remain vigilant and prepared to face the rapidly evolving cybersecurity challenges of the digital age.
This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the authors and do not necessarily represent the views of SGV & Co.
Joseph Ian M. Canlas is a risk consulting partner and ASEAN core consulting quality leader, and Christiane Joymiel C. Say-Mendoza is a risk consulting partner, both of SGV & Co.
