Why staff are your biggest security risk

Here’s a hard truth: your expensive security software can’t protect against human nature.

The Australian Signals Directorate (ASD) keeps saying it: human error leads to most serious data breaches.

CERT NZ agrees, confirming $3.6 million was lost to unauthorised access attacks in just three months (Q2 2024). That’s more than half of all cyber crime losses in the country. And guess what? Most of these attacks start with someone clicking something they shouldn’t.

Yet businesses keep making the same mistake. They buy fancy tech solutions while ignoring their biggest weakness: their people.

The real problem isn’t your staff

Your team isn’t trying to cause problems. They’re:

  • Racing to hit deadlines
  • Drowning in emails
  • Juggling customer demands
  • Working from home more than ever
  • Trying to do their actual jobs

Add in pressure to be quick and efficient, and you’ve got a perfect setup for mistakes. Cybercriminals know this, and they’re getting better at exploiting normal human behaviour.

Traditional security training is broken

You know how it goes. Once a year, everyone sits through:

  • Death by PowerPoint presentations
  • Confusing technical jargon
  • Made-up scenarios that don’t feel real
  • Information overload
  • Box-ticking exercises that mean nothing

Two weeks later, everyone’s forgotten everything and gone back to their old habits. Money wasted, time wasted, and you’re still not protected.

Why people click bad things

Look at the latest CERT NZ data – in Q2 2024, phishing and credential harvesting made up 484 reported incidents – the highest of any attack type.

Understanding this is crucial. Your staff click dangerous links because cybercriminals are masters at pushing psychological buttons:

Urgency: “Your account will be locked in 60 minutes!” People panic and click without thinking

Authority: “Urgent message from CEO about your salary” Nobody wants to ignore the boss

Fear: “Unusual login detected on your account” Fear beats logic every time

Curiosity: “See who’s been viewing your profile” Basic human nature wins again

These tricks work because they target emotions, not logic. Traditional training doesn’t stand a chance.

A better way: monthly bite-sized training

Think about how you learned to drive. Not in one big session, but bit by bit, building skills over time. Security training works the same way:

  • Short, focused sessions that don’t overwhelm
  • Real scenarios from actual attacks
  • Each lesson builds on the last
  • Regular practice makes it stick
  • Progress you can actually measure
  • Training that evolves as threats change

Building a security-aware culture

Forget being the “security police.” That doesn’t work. Instead, build a workplace where:

Security is just part of the job:
  • Like washing your hands in a restaurant
  • Or wearing a seatbelt in a car
  • It becomes automatic
Open conversation is normal:
  • “Hey, this email looks weird to me”
  • “Can someone check if this link is safe?”
  • “I think I might have clicked something bad”
Mistakes are learning chances:
  • No blame games
  • Focus on fixing and preventing
  • Share lessons learned
Testing that works

Regular testing needs to:

  • Feel like real threats
  • Give instant feedback
  • Help people improve
  • Celebrate when people spot threats
  • Show where more training is needed

But most importantly – it shouldn’t terrify your staff.

Making it happen: practical steps

  1. Know where you stand: Get an honest assessment of your team’s current security awareness. You can’t fix what you don’t measure.
  2. Get certified: Show your team (and your customers) that you’re serious about security. Get your whole organisation certified in cyber resilience.
  3. Start monthly training: Break free from annual compliance nightmares. Move to regular, relevant training that people actually remember.
  4. Make reporting easy: Create clear steps for reporting suspicious things. Make it easier to report than ignore.
  5. Track progress: Build security awareness into regular performance discussions. Make it part of everyone’s job.

The numbers tell the story: Despite seeing fewer total incidents (1,203 in Q2 2024, down from 1,537 the previous quarter), CERT NZ suggests financial losses actually increased to $6.8 million. This proves something crucial: criminals are getting better at targeting your people, not your systems. Each successful attack is more devastating than ever.

Your staff will always be either your biggest weakness or your strongest defence. There’s no middle ground.

Businesses with proper, regular security training are far harder to attack. But it has to be the right kind of training.

Ready to turn your team into your best security asset?
Get started at https://certifiedcyberresilient.com/

Don’t wait for a breach to prove your training doesn’t work. Build real protection now.

Contact us