Most of us assume that technology alone can protect us from cybersecurity threats and we negate the role of the human factor. But in today’s landscape of ever-increasing cybercrime with threat actors adjusting their techniques, tactics and procedures to perfect ransomware ploys, social engineering, identity theft and everything else, the human factor should be at the forefront of our defence. And as importantly, the technology, devices and software we use to counteract cybercrime were all designed, developed and manufactured by people like you and me.


At first, this might sound odd but a valid analogy between cars and best cybersecurity practices makes a good point. As Bert Skaletski, the CIO at the science and technology

company Merck KGaA in Germany, says:

“I often compare cyber security with automobile examples: We buy cars full of fancy safety features designed around the risks of a potential crash: airbags, EPS, ABS, automatic braking, you name it. A car full of technology – in cyber security terms this would be antivirus scanner, advanced email filters, for example – won’t remove the need for us humans to be cautious and drive defensively. The state demands that you take hours of driving lessons and pass a driver’s exam. Why wouldn’t we train people on how to act in certain cyber security “traffic situations” or act defensively in order to avoid or minimize cyber security “accidents”? Neither technology nor our behaviour will be able to protect us one hundred percent but if we combine both factors, we can greatly reduce risks to the point that we are able to operate and conduct our business.”

Skaletski is spot on target. You can have the best cybersecurity systems that money can buy, use the most robust firewalls available and apply updates right on time but if the human factor is off-kilter, you are providing an open invitation to hackers.


Some say that the human factor is the weakest link when attempting to implement a secure cyber environment. A massive corporation like Apple or a one-person-operated SME could have the best cybersecurity technology but if they don’t use it properly then disaster will strike. Not might but will. And people love to make excuses claiming that they are short on human resources, don’t have the time or that they simply forgot to run an update. So often businesses have made the effort to put the initial security measures in place to protect systems and data. But thanks to the human factor, there is no follow-through. They chose not to update the server or push out the critical Windows update. Some organizations don’t even have a current backup. Ed Tuorinsky, Managing Principal at DTS in Washington DC, says:

“I do understand it, but I don’t accept it. There’s no reason. There’s no ambiguity about it. It’s either protecting you the way it was designed to, or it’s not. Use the technology you have correctly.”


While the human factor may leave us open to cybersecurity vulnerabilities, it can also be leveraged to thwart threats. Remember that every software or security monitoring system requires human interpretation of alerts. Unlike machines, our brains have the ability to process multiple inputs and even hunches are useful to indicate that something might be amiss. As Tuorinsky says:

“We tend to look to technology to bulk up our security stance when a better approach may be to dig deeper into human nature – and those norms, habits and quirks we all have – and develop a security mindset that uses what we’re best at: complex reasoning.”


‘I’m only human’ is also an excuse when it comes to inadequate cybersecurity. Nevertheless, people are human – and they show up work bringing with them their talents, problems and even threats. But it is possible to exploit the human factor to benefit both awareness and good practice. Tuorinsky recommends the implementation of these IT principles:

  • Be patient – good cyber hygiene takes time. Updating, scanning emails and backing up may lower productivity but it’s worth it in the long run.
  • Don’t skip steps – multi-factor authentication (MFA) is time-consuming but it’s there to facilitate compliance.
  • Compartmentalize – systems should only be accessed on a ‘need to know basis and use auto-monitoring to control access.
  • Continuous education – continually update your employees about new threats and remind them that they could be easy targets. When it comes to the security of your IT, trust nothing or no one.
  • Learn from testing – send fake emails and simulate an attack or ransomware situation. This way we learn and can anticipate the worst should it happen.


Imagine that you live in a neighbourhood where theft is prevalent. Every night, would-be thieves descend to examine the available pickings. If a car door is locked, they move on to the next. If unlocked, they grab anything of value. The solution is simple – lock your doors. The same applies to your IT so let me lock your cybersecurity doors for you. I have over 20 years of experience in professional business IT, specializing in risk mitigation and cybersecurity. I can help you implement firewalls, intrusion detection, internet filtering, DNS proxy, and antivirus software. We can move data to secure backups. I will ensure that your employees use encryption and multi-factor authentication. Together we can overcome human nature and the human facture by enforcing a security mindset that focuses on what people are best at doing – complex reasoning. Contact me now and let’s win the cybersecurity game together.

Leave a comment