Employees Play a Key Role in Fighting Cyberattacks

The number of worldwide cyberattacks is on the rise, and organizations with a global footprint face a relentless wave of attacks by motivated “threat actors.” These actors can be organized multinational criminals, nation states, cyber-activists (known as “hacktivists”) or company insiders. And, their activities can damage a company’s reputation, disrupt its business, and impose financial penalties through regulatory violations and remediation costs.

To combat proliferating threats, it is important to take a holistic approach to cybersecurity that includes the three pillars of organizational transformation: people, process and technology. By far the weakest of these pillars is “people.” It is the most difficult to shore up, because humans, by their very nature, are error-prone creatures. In fact, 90% of cyberattacks are caused by human error, mainly from employees either deliberately or inadvertently violating policies designed to prevent breaches.

Cyber attackers know that employees are the “weak link” in any organization, so they overwhelmingly invest their efforts on them, through activities like phishing attacks and other “social engineering” scams. Their goal is to trick people into giving away their sign-in credentials, so they can get onto the corporate network and into systems. And, once they have accomplished that, they will attempt to seek out and steal credentials of high-privileged individuals, who are authorized to access the most sensitive assets. This is where trouble really starts – but it all begins with a single person making a single mistake.

This is why employee awareness and training are critical components of any cybersecurity strategy.

The Pillars of Employee Cybersecurity Training

When building a cybersecurity training program, remember the following:

  • Everyone matters – Executives are not immune to cybersecurity mistakes. In fact, studies show that senior executives tend to be among the worst offenders when it comes to violating security policy. This is due to the fact they tend to be very busy and may not notice or participate in cybersecurity training. Plus, the notion of “getting in trouble” is not as acute to a senior executive as it is to rank-and-file employees, so they tend not to be as motivated as others to practice good cyber hygiene. This means that training programs must be designed with all levels of employees in mind. And as long as you’re at it, work the board into your training – board members should be particularly cyber-aware, since they have access to so much confidential information.

  • Reduce stigma – The first few moments after a mistake are critical. Encourage employees to speak up quickly if they think that they have been breached. It is important to impress on employees that admitting mistakes is good and trying to conceal them or make them go away is bad. This runs directly counter to human nature, so it is important to reinforce this concept on a constant basis.

  • Make cyber awareness a habit – Cybersecurity training and expectations should be part of the employee training lifecycle, beginning with orientation and continuing throughout their careers. For companies, it needs to be part of the culture – just like other typical cultural components such as diversity, innovation, dress code and wellness.

Cybersecurity Training in Action

These program examples are just a few ways to prepare a workforce to remain vigilant about cybersecurity threats:

  • Circulate cybersafe materials – Distribute cyber awareness campaigns to engage and educate employees through communications and trainings. And, educate employees about new protections when using collaboration tools, such as securing virtual meetings with a password.

  • Employ new media - Engage employees through a variety of media such as podcasts and gamification of trainings.

  • Distribute time sensitive cyber alerts – Create a plan to alert employees of emerging phishing scams, ransomware attacks, and social engineering in a timely manner.

  • Test employees’ phishing awareness through training drills –Distribute emails designed to appear to be phishing attempts and test whether employees can identify them as such.

Employees are the weakest link in cybersecurity – but they also can be the first, and strongest, line of defense. There may be a relentless wave of attacks hitting your organization, but your employees – from staff right up to the CEO - can be an effective “sea wall” if they are trained to be cyber-aware, and cyber-safe.


Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.

Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our global network of member firms and related entities in more than 150 countries and territories (collectively, the “Deloitte organization”) serves four out of five Fortune Global 500® companies. Learn how Deloitte’s approximately 330,000 people make an impact that matters at www.deloitte.com.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms or their related entities (collectively, the “Deloitte organization”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser.

No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, its member firms, related entities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person relying on this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities.

© 2020. For information, contact Deloitte Global.

Share this post:

Comments on "Employees Play a Key Role in Fighting Cyberattacks"

Comments 0-5 of 0

Please login to comment