The human element of cybersecurity

The human element of cybersecurity; developing a people-centric cyber strategy

Movies present hackers as smart individuals using advanced technology to infiltrate a company. But the sobering reality is that they consistently exploit a vulnerability that technology alone cannot patch — the human element.

According to Verizon, the US telecom giant, approximately 90% of breach incidents begin with a social engineering attack targeting a human victim. This statistic may lead you to believe humans are the weakest link in your cybersecurity strategy, but the truth is quite the opposite.

Why people are your most important security control

With over 989,000 unique phishing attacks detected in the final quarter of 2024, the obvious answer is to reduce dependence on humans and use artificial intelligence (AI) to prevent these attacks. But automated systems have limitations that make employees a more efficient first line of defence:

  • AI lacks human intuition: Fully automated security systems are designed to recognise patterns, making them great at detecting system-level threats. But they lack human intuition and context to identify personalised social engineering attacks.

  • AI can't look for novel threats: Even when they're trained to perceive attacks, automated systems can only detect what they’ve been programmed to look for. Any new social engineering tactic may go unidentified until damage is done. 

  • AI can only detect, not protect: Automated security tools usually only alert you to a potential threat. Security professionals are still needed to analyse the data, determine a genuine risk, and decide on next steps. 

These limitations clearly show that a human-centric cybersecurity approach is still the best firewall available to a business. 

Building ongoing training and awareness programmes

Organisations often treat security training as a yearly checkbox exercise. But that won’t work for a people-centric security strategy, which makes cybersecurity every employee’s responsibility. 

Create continuous training programmes

A 2024 survey found that yearly training programmes are not enough to reduce the probability of employees clicking on phishing links. What does help is continuous learning programmes held every quarter. This cadence reinforces cybersecurity training protocol while also updating employees on the latest threats. Monthly phishing simulations can also keep cybersecurity top of mind throughout the year.

Adapt training programmes for new threats

In their 2025 Global Threat Report, CrowdStrike revealed that 26 new cyber threats were introduced the previous year. To ensure training remains effective, regularly update your programme to reflect the current threat landscape. Track the latest threats through cybersecurity groups, threat reports, or external vendors. You can also send out security tip newsletters regularly to your employees with the latest cybersecurity news.

Customise training to professional responsibilities

A one-size-fits-all cybersecurity training programme won’t work in most cases, as it overloads employees with unnecessary information that doesn’t pertain to their jobs. By narrowing the scope to cover role-specific scenarios, you can ensure training is relevant, practical, and relatable. The SANS Institute agrees - targeted simulations and coaching resulted in a 35% reduction in repeat clickers, with fewer costly incidents, faster detection, and reduced IT workload. 

How to navigate jurisdictional variations in cybersecurity risks

Cybersecurity regulations vary across different countries and regions, affecting security policies and employee training. Mid-market companies should be mindful of these variations to ensure security awareness efforts are compliant and effective. 

Regional considerations around cybersecurity regulations

In many industries, security awareness training is a mandatory requirement. But the exact expectations and emphasis can vary depending on the region. For example, European standards like the General Data Protection Regulation are mandatory, while the National Institute of Standards and Technology’s Cybersecurity Framework in the US is voluntary. This makes it important to augment your global training curriculum to cover local laws and industry regulations. You can conduct regular compliance audits to ensure your training covers current and upcoming laws. 

Cultural considerations around cybersecurity regulations

Culture plays a major role in how people communicate, behave online, and even fall victim to cybercrime. For example, phishing attacks in the US usually increase during the holiday season. Stores are running discounted sales, and the fear of missing out on great deals drives buyers to click on even suspicious links.

These cultural nuances also appear in the workplace. Some may question authority, while others may be less inclined to challenge instructions, even if something seems suspicious. Tailoring your course to address these differences can improve its relevance and effectiveness. Multinational companies that implemented culturally adapted security protocols saw a 35% improvement in threat detection and a 45% reduction in response times.

Addressing the cybersecurity skills gap

As of 2024, the global cybersecurity workforce required about 4 million professionals to meet demand. For mid-market firms, bridging this gap is critical to building a strong human defence. Here are some strategies to address cybersecurity skills shortages within your organisation:

Develop internal talent: Train staff with an interest in cybersecurity to take on security roles or responsibilities. This is one of the most cost-effective and efficient ways to bring the right skills into your workplace.

Utilise government programmes for upskilling: Many countries offer government-funded cybersecurity awareness toolkits, training programmes, and subsidies for skill development.

Leverage external partnerships and experts: If developing internal expertise proves fruitless, outsourcing specialised tech experts is your next best option. This is particularly useful for mid-market businesses with limited budgets looking for support on cybersecurity training and detection.

    Creating a people-first cybersecurity culture

    Building a people-first cybersecurity approach means creating a culture that embeds cyber threat awareness and best practices in every process, decision, and conversation. Here are a few tips to help you get started:

    1. Instil threat awareness from day one: Cybersecurity training should be part of your onboarding process. This will teach employees to instinctively think about security in their daily tasks, whether it’s handling a client’s data or configuring a new software tool.

    2. Offer positive reinforcement: Encourage and reward good security behaviours, rather than focusing solely on punishing mistakes. Create a safe environment where employees can report a cyber breach or threat without worrying about severe consequences.

    3. Establish clear reporting and response protocols: Reporting protocols can vary depending on the industry and region. Ensure your process complies with regulatory requirements to avoid any scrutiny. 

    4. Encourage leadership to set the tone: The attitude of the C-suite and senior management will influence the entire organisation. Executives who prioritise security in meetings, training sessions, and communications will encourage employees to visibly and vocally prioritise the same. 

    Strengthen your human firewall with HLB

    There is no better time to be “cybersecurity-first” than Cybersecurity Awareness Month this October. It's the perfect reminder that technology alone cannot protect organisations from the escalating threat of social engineering. 

    The best cybersecurity defence is a robust human firewall built through continuous training and cultural awareness - and HLB can help you accomplish just that. Our comprehensive cybersecurity services help organisations train employees, implement human-centred security strategies, and bridge the cybersecurity skills gap through our network of experts.

    Contact us today to create a cybersecurity strategy that combines robust human-centred security programmes with cutting-edge technical defences.

     

    AdvisoryCybersecurityTechnology

    Related content

    The changing landscape of cybersecurity

    Medium-sized businesses are an ideal target for cybercriminals: they have access to valuable data and operations without the extensive security infrastructure of large enterprises. So what can mid-market businesses do to better prepare for the latest cybersecurity challenges? The first step is awareness; understanding the threats.

    Forensic accountancy 101: Why your business could benefit from a review

    Financial security represents an ever-growing challenge for businesses of all types, but this can be a complex landscape with issues that range from fraud detection to regulatory compliance. Forensic accountancy represents a great way to mitigate some of these risks, while it can also uncover some opportunities for growth.

    Top takeaways from our Fundamentals of the Future report

    The 2024 HLB Cybersecurity Report serves as both a wake-up call and a guidepost for organisations navigating the complex landscape of digital threats. With an increase in cyber-attacks over the past year, the report highlights an urgent need for stakeholders to prioritise cybersecurity as a strategic imperative.

    Image
    Get in touch
    Whatever your question our global team will point you in the right direction
    Start the conversation
    Image

    Sign up for HLB insights newsletters