Facebook Facebook icon Twitter Twitter icon LinkedIn LinkedIn icon Email
weak password


Employee training, not technology, is companies’ biggest cybersecurity gap

Published 31 May 2022 in Technology • 5 min read

The pandemic may have got us into some good habits, such as washing our hands more often, but it has not improved our digital behavior. When it comes to cyber risks, many companies are distracted by technological fixes when they should be paying more attention to good cyber hygiene.


The surge in remote working during the pandemic transformed corporate cyber-risk. Suddenly, organizations’ network perimeter expanded dramatically. In many cases, most employees – if not all – were connecting from outside of company premises and security.

This increased cyber-risk, and organizations often responded quickly with technological solutions such as virtual private networks (VPNs) and two-factor authentication. With these and other tools in place, the increased risk from continued remote working is probably marginal. However, there is a much bigger and longer-term problem: poor cyber-hygiene.

Humans: the most important layer of defense

Wherever they base themselves, outside-facing employees are any organization’s weakest cybersecurity link. Instead of looking for technical vulnerabilities within an IT system, most hackers’ first tactic is social engineering: tricking humans is simply much easier. This explains why surveys show that phishing emails are the most effective form of cyberattack. But it is not just email: hackers also use phone calls and SMS messages, or they simply convince a receptionist to let them into the building.

Unfortunately, most cybersecurity programs are not up to the task of embedding the cyber-hygiene that would protect against this kind of social engineering. Most organizations make employees go through quarterly training, and it is a necessary part of cybersecurity certification. But it is not clear that these really work. After all, what are people learning when they just click to answer a few simple multiple-choice questions?

Even if these lessons do stick in people’s minds, will they change behavior? There is a trade-off with productivity. An organization where employees are unable to log in might be the ultimate in security, but it won’t last very long. That might be an extreme example, but if security measures are too annoying, employees will find it unacceptable and try to circumvent it. However, emphasizing usability can undermine security. This is a balancing act that every organization struggles to pull off.

Cybersecurity priorities

New ways to clean up our act

Three broad changes can help to put in place realistic cybersecurity training across the workforce.

First, programs need cross-functional cooperation, including from HR, IT, and related fields of training and information security. This will often require a substantial shift. The Chief Learning Officer (CLO) and Chief Information Security Officer (CISO), for example, have roles that do not traditionally overlap very much, but they will need to work together much more closely. And both human resources and CLOs rarely see cybersecurity as part of their roles.

This has to change. The first big step toward more effective cybersecurity training is for those in charge of training to become familiar with the topic and buy into its importance. Then, they need to forge strong partnerships with all relevant corporate leaders so that cybersecurity becomes part of the culture. These leaders must set the tone from the top.

Second, the training must be relevant to employees’ daily workplace experiences. Something purchased from an external partner and run once a quarter does not work, because it will not stick in the brain of a worker who is just reading and clicking. Instead, training needs to provide much more creative, emotionally engaging learning opportunities.

Realistic, real-life experiments are a good example of this. Given the threat posed by phishing, some organizations have, on their own or with the help of a specialist supplier, run fake phishing campaigns. Employees receive spam emails that appear genuine, seemingly from colleagues or other sources. The program then scores them on how they perform: whether they correctly report the message or click through on a potentially dangerous link. This kind of initiative can be an effective conversation-starter and will attract more attention than a traditional quarterly course.

Western platforms are also starting to make bets on live commerce. Amazon launched Amazon Live in 2019

Third, employees need to be given information that sensitizes them to the threat environment, so they fully understand the importance of cybersecurity. Sharing distilled summaries of organizational threat intelligence reports, for instance, can be helpful. If an employee hears that five out of 10 leading competitors have been breached within the past month, or that the number of observed attacks is rising, it will increase their interest in cybersecurity and improve their awareness of the operating environment.

And when the organization updates a machine’s security, it should take the opportunity to remind the employee of ways to update the cyber defenses of other technology, such as their phone. Otherwise, protecting just one piece of equipment can give them a false sense of security about risks to the network.

Human beings often think the best of others, and we do not want to change that. Instead, good cybersecurity training will equip people with ways to spot the bad actors that are trying take advantage of them.


Oyku Isik IMD

Öykü Işık

Professor of Digital Strategy and Cybersecurity at IMD

Öykü Işık is Professor of Digital Strategy and Cybersecurity at IMD, where she leads the Cybersecurity Risk and Strategy program. She is an expert on digital resilience and the ways in which disruptive technologies challenge our society and organizations. Named on the Thinkers50 Radar 2022 list of up-and-coming global thought leaders, she helps businesses to tackle cybersecurity, data privacy, and digital ethics challenges, and enables CEOs and other executives to understand these issues.


Learn Brain Circuits

Join us for daily exercises focusing on issues from team building to developing an actionable sustainability plan to personal development. Go on - they only take five minutes.
Read more 

Explore Leadership

What makes a great leader? Do you need charisma? How do you inspire your team? Our experts offer actionable insights through first-person narratives, behind-the-scenes interviews and The Help Desk.
Read more

Join Membership

Log in here to join in the conversation with the I by IMD community. Your subscription grants you access to the quarterly magazine plus daily articles, videos, podcasts and learning exercises.
Sign up

Log in or register to enjoy the full experience

Explore first person business intelligence from top minds curated for a global executive audience