Strengthening Cybersecurity: It's Time to Put People First

A significant part of the solution lies with the people who interact with systems daily. A recent Verizon Data Breach Investigation Report highlights a concerning trend: 68% of breaches involve non-malicious human error—a statistic that should serve as a wake-up call for organizations of all sizes.

The real issue isn’t just a lack of cybersecurity awareness; it’s the failure to properly implement and practice what is learned. We can provide employees with training and cyber-awareness challenges, but if they aren't engaged or encouraged to apply what they’ve learned, that training becomes irrelevant. As my co-host Shannon mentioned, "It's not that people aren't getting the education—they are. It's that they're not paying attention to it."

A key example of this comes from the age-old tactic of social engineering. Hackers prey on human weaknesses, often exploiting gaps in attention or judgment rather than technological vulnerabilities. We’re seeing attacks where hackers get in through the human element—by phishing schemes, mishandling information, or just showing up as a “maintenance worker” without raising any suspicion.

While 14% of breaches are caused by system vulnerabilities, it’s vital to recognize that 62% of financially motivated breaches involve ransomware—costing businesses a median loss of $46,000 per incident. This shows that cybercriminals are well aware of both human and technical weaknesses.

For smaller businesses, these figures are even more alarming. They often lack dedicated cybersecurity teams or even basic defenses like a CISO or business continuity plans. As I’ve experienced firsthand, many small companies are overwhelmed during audits because they don’t have robust cybersecurity frameworks in place. As I said on the show, "Their CEO is also their CTO, and maybe even their CIO." The result? Gaping security holes that make them prime targets for attackers.

But there’s hope. Resources like NIST’s cybersecurity templates provide a starting point, and organizations can seek help from services like CISA. Yet, without time or dedicated personnel to implement and enforce these strategies, even the best guidelines can fall flat.

What can we do about it?

1. Training Needs Engagement: It’s not enough to throw a bunch of slides at employees. Engage them. Add humor, ask questions, and make them part of the conversation. As Shannon said, "I try to liven it up as best I can." Security awareness training has to be more than just a box-ticking exercise.
2. Build a Culture of Security: Companies, especially small businesses, need to understand the importance of a security-first mindset. They must prioritize cybersecurity in their daily operations and cultivate a culture where employees are constantly vigilant.
3. Hire for Passion, Not Just Certification: The cybersecurity field is often gatekept by requirements for degrees and certifications, yet attackers don’t need those to breach systems. As I pointed out in the podcast, "We have to get out of our head that it takes a million degrees and certifications to be in our field." We need passionate people who are curious and willing to learn.

At the end of the day, security starts with us—the people behind the screens. With better engagement, awareness, and a strong security culture, we can make a real difference in reducing the human error that leaves us vulnerable to attack.

Thank you for reading and stay tuned for more episodes of The Other Side of the Firewall podcast on Monday, Tuesday, Wednesday, and Fridays, as well as, the Ask A CISSP podcast every Thursday. Make sure to also add The Cybe Coffee Hour to your podcast rotation! Please like, share, and, subscribe.

Stay safe, stay secure!

Ryan is a retired Air Force veteran who brings over 20 years of experience in network infrastructure, project management, and cybersecurity consulting to his current roles at RAM Cyber Consulting & Assessments, LLC and BuddoBot . Buddobot’s mission is to support national security by transforming, empowering, and educating organizations to shift from reactive, diluted, automated, and high-cost IT and security practices to proactive, effective solutions that fortify their security.

Shannon, also a retired Air Force veteran, has more than two decades of expertise in network security and vulnerability management. He now serves as an Information System Security Officer (ISSO) for the U.S. Space Force, where he continues to enhance national security protocols.

Chris, a Navy veteran with over ten years in IT, information assurance, and risk management, currently works at CompliancePoint . His roles include vCISO, RMF assessor, and consultant, focusing on enhancing data security and privacy for various organizations.

Daniel is an Air Force veteran with over 15 years of combined experience in IT, cybersecurity, information assurance, and government risk compliance. He has held various roles, including IT administrator, cybersecurity engineer, senior information system security manager, and currently serves as a senior security consultant for Booz Allen Hamilton. In this latest role, Daniel leverages his expertise to address unique and complex challenges in the cyber and IT domains, enhancing his customers’ capabilities.

**The Other Side of the Firewall podcast is a product of RAM Cyber Consulting & Assessments, LLC . RAM Cyber is a premier Governance, Risk, and Compliance (GRC) consultancy dedicated to supporting the Defense Industrial Base (DIB), Federal agencies, and corporate entities. We specialize in delivering expert guidance to ensure compliance, mitigate risks, and enhance cybersecurity postures. RAM Cyber is pending SDVOSB, VOSB, and 8(a) certification by the SBA, underscoring our commitment to excellence and service.