Cyber-Security: Why Creating Awareness is Key

August 31, 2021

Is the danger of human mistakes sufficiently taken into account?

There is a fil rouge that connects a good number of cyber-incidents that have recently affected companies world-wide: the role of human beings in cyber-security incidents. It´s no mystery that big corporations have increased their budgets for cyber-security protection in the past years. The risk deriving from the absence of such a protection is too big in terms of financial, reputational, and regulatory consequences and thus, cyber-security experts have seen their own positions within the organizational chart (and their resources) boom. The question is: did companies put the necessary effort to tackle human mistakes as well?

symbolic pic cyber-security
The human factor plays a major role in the defense against and prevention of cyber attacks. But is this also taken into account in companies' planning?

The Human Weaknesses

If big corporations have increased the resources for their cyber-security programs, it is questionable whether they have at the same time improved the human aspects of cyber-security. Judging from the dramatic consequences of recent cyber-attacks, with ransom sums being paid to cyber-criminals and/or large revenues lost due to downtime caused by malware, viruses, etc. the result is evident. Companies need to focus more on other aspects of cyber-security.

Human vs Machine?

From a first analysis one might consider the investment in technological capabilities (firewalls, anti-viruses, data loss prevention, etc.) as the first, and only step in reaching a satisfactory level of security. Yet, this is not always the case. You can have the best cyber-security devices ever but if you do not adequately educate your staff and all your other stakeholders (i.e. your customers), well it is highly likely that sooner or later you´ll suffer from a cyber-attack.

pic of a user who has no cyber-security knowledge
The best hardware and software solutions against cybercrime are useless if users can't handle them. Photo © CC0 Licence

Training vs Education vs Awareness

Companies should start giving awareness and education the right importance. Too often, in fact, cyber-security managers see awareness programs as a tedious activity, good to thick off audit requirements. Yet, awareness is more important than that. It does not give people technical skills; it does not only train them in cyber-security competences but rather it supports them in the process of changing their behaviour, and a different behaviour might save your company from cyber-incidents. This is the first step in minimizing the human risk of cyber-security.

Creating a Company Awareness Plan

If you want to have reasonable expectations to survive the next cyber-security attack, you should start providing your staff with cyber security awareness based on the following steps:

  1. Start from where you are, what are your company´s main threats (talk with your employees, they know better where threats might come from)

  2. Try to understand why your company might be the preferred target of cyber-criminals

  3. Is the company expected to suffer from internal or external threats?

  4. Start considering how you want to change your staff´s behaviour (and your other stakeholders´)


Always address human vulnerabilities, not only technical. Introduce human aspects in your security programs, if you want to minimize your cyber-security risks.

Check out the videos and articles on the topic of cyber-security and cybercrime here.

Share this