Companies Are Hacked Because Individuals Keep Making The Same Mistakes

Most of the time, companies are hacked because of mistakes individuals keep making. Not because they or anyone else is stupid but because cybercriminals are clever. Despite the increasing awareness of cyber risks, people often underestimate the potential consequences of their actions and overlook simple security measures. 

See Something, Say Something!

There are several reasons why employees in an organization with a “See Something, Say Something” policy hesitate to report suspicious activities that could lead to a cyber incident. 

One reason is that they may not fully understand the importance of cybersecurity or the potential consequences of a cyber incident. They may also not know what qualifies as suspicious behavior or whom to report it to, which creates confusion and hesitation.

Another reason is that employees may fear retaliation or repercussions from their colleagues or superiors if they report suspicious activity. This could be due to a lack of trust in management, a fear of being labelled as a “snitch,” or concerns about their job security.

Moreover, employees may hesitate to report suspicious activity if they believe the incident is minor or inconsequential. They may also assume that “someone else” will report the incident, leading to a diffusion of responsibility.

Finally, employees may not report suspicious activity if they feel the organization’s response to previous reports has been inadequate or ineffective. This can create a sense of futility and apathy, leading them to believe that reporting suspicious activity will not result in any meaningful change. 

Overall, a lack of understanding, fear of retaliation, the belief that the incident is minor, diffusion of responsibility, and perception of inadequate response all contribute to why employees in an organization with a ‘See Something, Say Something’ policy often hesitate to report suspicious activity resulting in disastrous data breach consequences.

But, as mentioned, even if good cyber awareness training is implemented, people underestimate the risk and do not take them seriously, leaving organizations vulnerable to attacks.

Let’s Look At The Reasons Why Employees Don’t Prioritize Cybersecurity

Cybersecurity Training is boring

Cybersecurity training can be considered tedious or boring, leading to disengagement and lack of attention. This is especially true if the training is presented in a dry, technical manner or if the content is irrelevant to employees’ daily work.

Cybersecurity is IT’s problem

Some believe cybersecurity is the IT department’s or cybersecurity professionals’ sole responsibility rather than a shared responsibility of the entire organization. This leads to a lack of motivation or interest in cybersecurity training, as employees fail to see how it directly relates to their job responsibilities.

A false sense of security

Employees may believe that their organization’s cybersecurity measures are sufficient and that they are unlikely to be targeted by cybercriminals. This false sense of security makes them complacent with a lack of urgency to take cybersecurity training seriously.

Lack of understanding of the severe implications of a breach

Sometimes employees do not fully understand the potential implications of a cybersecurity breach, such as financial losses, damage to reputation, or legal and regulatory repercussions. Therefore there is no appreciation for the importance of cybersecurity and the need for ongoing training.

Too busy to worry about cybersecurity

Not everyone will prioritize cybersecurity training due to competing demands on their time or because they believe their other responsibilities take precedence.

How to transform a cyber awareness culture 

To address these issues, organizations should provide engaging and relevant training content, emphasize cybersecurity’s shared responsibility, regularly communicate its importance and provide real-world examples of the consequences of cyber breaches. By allowing sufficient time and resources to complete training and testing, the reasons for not prioritizing cybersecurity, as discussed above, can be eliminated to get employee buy-in.

Cybersecurity awareness training must be tested

If cyber awareness training is not tested, vulnerabilities and gaps caused by human error will prevail. 

Training is typically tested through online assessments, phishing simulations, and social engineering tests. These tests are designed to assess an individual’s knowledge of cyber security best practices and identify areas where they may be vulnerable to cyber-attacks.

· Online assessments involve multiple-choice questions or scenarios that test an individual’s understanding of topics such as password security, phishing, and data protection.

· Phishing simulations involve sending fake phishing emails to employees to see how many fall for the trap and click on the link or enter their credentials. 

· Social engineering tests involve attempting to gain unauthorized access to sensitive information by tricking employees into providing access or credentials.

Last but not least, the final responsibility to create a culture of trust and transparency must come from the organization’s leaders. Employees need unequivocal guidance for clear reporting channels and assurances that all reports will be taken seriously and will be responded to quickly and appropriately.

Are you ready to turn your employees into your strongest security asset?

Step one: determine your organization’s areas of weakness with ENHALO’s Human Vulnerability Assessment.

Step two: transform the cyber awareness culture of your workforce with our animated cyber training, which historically shows engagement rates of over 90%. 

Get in Touch

Supply Chain Threat Detection

Cyber criminals have upped their game, so should you. We never underestimate or ignore your supply chain's security threats.

Security Operations Center

Financial losses, intellectual property theft, and reputational damage due to security breaches can be prevented.

SOC Assurance Service

Despite a mature Security Operations Center, you're still under threat. Our SOC Assurance mitigates the risk of unnoticed breaches.

Emergency Cyber Response

Regain immediate control, contain the damage, and eradicate the threat. Your bullet-proof, SOS rapid response.

Agentless Network Segmentation

Rely less on vulnerability management and rest assured that the threat won’t spread across your network.

Cyber Risk Assessment

Understand how vulnerable you are. We identify your threat sources and calculate your risks – likelihood and impact.

Endpoint Detection and Response

This solution is for customers that do not have extensive security budgets or staffing to implement and monitor an endpoint security solution.

Irregular Behavior Detection

Companies focus heavily on malicious outsider mitigation, while the biggest threat lies with those who already have access.

Penetration Testing Services

A penetration test is arguably the most important part of any cybersecurity journey, it tests an organization’s ‘final line of defense’ against attackers.

Security Awareness Training & Testing

With cybersecurity awareness training, the risk of human error can be reduced, turning human error into a human firewall.


360 Security
Must Know Cyber
Security Services



Cyber Security Services

Supply Chain Thread Detection
Security Operations Center
SOC Assurance Service
Emergency Cyber Response
Agentless Network Segmentation
Cyber Risk Assessment

Supporting Cyber Security Services

Endpoint Detection and Response
Irregular Behavior Detection
Penetration Testing
Security Awareness Training and Testing

Related Posts

Cyberattack Emergency

Are you experiencing an active cyberattack?

Get rapid response.

Call ENHALO’s International SOS no:
For Other Inquiries: