skip to main content

The Most Overlooked Cybersecurity Protection in Business? Humans

The Most Overlooked Cybersecurity Protection in Business? Humans

No matter how sophisticated a cybersecurity threat is, there is a common theme in most attacks, and that is the human element.

Examining recent examples of prominent data breaches, human error has served as a common catalyst for the intensification of each breach. The ransomware that facilitated the 2021 Colonial Pipeline cyberattack was installed after hackers compromised an employee’s password through phishing attempts. The 2022 cyberattack on the U.S. Department of Labor utilized two methods that impersonated department email addresses, spoofing the actual address and buying a similar domain, tricking personnel into sharing information. Whether it is clicking on a link that should not be clicked, downloading something nefarious, or other common mistakes, human performance remains the weakest piece in the cybersecurity chain during attacks.

This is a reality that cybersecurity professionals, government leaders, and C-suite decision-makers face, yet the glaring challenge has been overlooked. We believe the human element of cybersecurity is worth investing in wholeheartedly.

Human-first cyber education

Training is a crucial investment for any organization, but what does human-first training look like? Absent hands-on instruction, which we highly recommend, start by communicating these best practices to staff across the business and government landscapes.

  1. Be careful with credentials. When clicking a link and moving to a login page, do not enter any credentials. Instead, go to the login page without clicking the link. For example, when a bank emails or texts a link to a login page, do not enter credentials there. Instead, go directly to the bank’s website and log in there instead. This same practice applies in a professional setting.
  2. Utilize multi-factor authentication (MFA): MFA creates another layer of defense against threats trying to log into an account. Additionally, enabling authentication notifications through MFA will warn users of suspicious activity within an account. When this occurs, suspicious activity should be reported to IT, and the compromised password should be changed immediately.
  3. Use passphrases over passwords: A passphrase is a type of password that uses a series of words, with or without spaces. When creating a passphrase, four words should be sufficient, but five words are better. Remember to avoid common words, quotes, etc. Most importantly, use a unique passphrase for every account.

Cybersecurity education may differ depending on an organization's exact pain points, but the central focus of the human-first approach should always be protecting individual and organizational information. These tips should better position businesses and government teams to accomplish that goal.

How to run a human-first cyber plan

Businesses and governments have done an admirable job investing in cybersecurity tools to protect their most valuable assets, but organizations must ensure that they use these tools as effectively as possible.

Suppose a company purchases state-of-the-art cybersecurity protection software. Is implementing this tool and trusting its capabilities enough to thwart threats? The answer is no, not without sufficient human input and oversight.

Another key consideration is how organizations make sure that they are testing their processes and procedures to verify success. Decision makers need to ensure that cybersecurity tools are monitored intently, configured correctly, and applied in a manner where their organization can best leverage the risk/return on investment.

Many of today’s cybersecurity practices have become extremely granular, and rightfully so. Yet, with increased detail, organizations tend to miss the step of scrutinizing why the process is in place, why it matters, and whether it is working effectively.

Beware the trap of investing in the latest and greatest tools without conducting the necessary human education and monitoring that those tools require to achieve optimal security.

Investing in humans will pay dividends

Remember, this is not just a security issue. This is a greater business issue.

From a consultant’s perspective, we advise organizations to assess their current risk posture and determine how to navigate the risk environment most efficiently and effectively. Effectiveness will come from a more educated staff equipped with the knowledge they need to limit individual and organizational cyber risk exposure.

Efficiency will result from the dividends that human education investments pay over time. Commit resources to ensuring that personnel know their cybersecurity responsibilities and how they can best navigate issues as they arise. While tools and technology play a critical role, the human factor is guaranteed to be a common theme in every cyber incident. The question is, how will organizations ensure that their teams are equipped to handle those incidents?

The best place to start is investing in their education.



Have a Question?

Fill out the form to speak with one of our professionals.

Hide Firm Disclaimer


UHY LLP is a licensed independent CPA firm that performs attest services in an alternative practice structure with UHY Advisors, Inc., and its subsidiary entities. UHY Advisors, Inc.’s subsidiaries, including UHY Consulting, Inc., provide tax and business consulting services through wholly owned subsidiary entities that operate under the name of “UHY Advisors” and “UHY Consulting”. UHY Advisors, Inc., and its subsidiary entities are not licensed CPA firms. UHY LLP, UHY Advisors, Inc. and UHY Consulting are U.S. members of Urbach Hacker Young International Limited, a UK company, and form part of the international UHY network of legally independent accounting and consulting firms. “UHY” is the brand name for the UHY international network. Any services described herein are provided by UHY LLP, UHY Advisors and/or UHY Consulting (as the case may be) and not by UHY or any other member firm of UHY. Neither UHY nor any member of UHY has any liability for services provided by other members.

On this website, (i) the term "our firm", "we" and terms of similar import, denote the alternative practice structure conducted by UHY LLP and UHY Advisors, Inc. and its subsidiary entities, and (ii) the term "UHYI" denotes the UHY international network, in each case as more fully described in the preceding paragraph.