The Human Error Problem: Why Companies Must Embed Cybersecurity Into Their Culture
Employees are often described as a company’s greatest asset and key differentiator. However, employees can be an organization’s greatest vulnerability when it comes to cybersecurity and data privacy risk.
Human error represents one of the biggest reasons for cybersecurity incidents, with more than two thirds of incidents triggered by human decisions and behaviors. Today, threat actors target organizations using increasingly hard-to detect and sophisticated social engineering tactics, making it crucial for organizations to remain one step ahead to best ward off threats. The most effective cybersecurity programs recognize the shared nature of this responsibility – even with the strongest security systems and technology in place, a single human error can compromise an organization’s entire network, which can trigger legal risk, erode stakeholder trust, impact the organization’s bottom line, and cause long-term reputational harm.
No organization is immune. Many organizations across sectors and industries have been impacted as a result of human errors – such as clicking on sophisticated phishing links, falling for wire fraud scams, downloading free AI software that contained hidden malware – all leading to significant operational disruptions and/or data leaks.
To help protect the organization, it’s imperative that leaders take purposeful steps to build a robust, ready and resilient Cybersecurity Culture. Cybersecurity Culture is organizational-wide and goes beyond standard annual cybersecurity training and periodic phishing tests and focuses on employees’ beliefs, mindsets and behaviors toward cybersecurity.
Organizations that foster a robust, ready, and resilient Cybersecurity Culture share several key practices.
Cybersecurity is embraced by all employees as a shared, collective responsibility
Employees at all levels understand how their individual actions can impact the organization’s cybersecurity and take accountability for protecting data and systems. Employees believe a strong security culture is crucial to drive and sustain the organization long-term, rather than a set of policies and procedures that pose barriers to their day-to-day work. This behavior manifests via proactive reporting of suspicious emails and links. More importantly, during times of immense pressure and tight deadlines, employees’ behavior is shaped and driven by the desire to keep the organization safe rather than to get the job done ‘by any means.’ For example, employee trainings are provided on key areas of security policy that apply directly to jobs and cover all risks relevant to all roles regardless of region or job specification. These trainings are easily located, employees know where to go to access security policies, and where to turn if they have questions.
Accountability for the organization’s cybersecurity is embraced and endorsed by leaders at all levels, and not just those in the IT and Information Security departments
Leaders actively advocate the importance of cybersecurity to their employees and consistently role model responsible behaviors. Security objectives are consistently articulated and reinforced as they relate to different departments and teams and how to achieve those objectives. Leaders proactively communicate and explain the risks (individually and for the organization) if security policies and procedures
are not followed. This includes providing clear direction on what is acceptable and unacceptable behavior in terms of organizational security. Examples of leader endorsement includes frequent storytelling during team meetings, practicing different real-life scenarios and transparent leadership by providing personal change stories on how security policies were applied, not applied and the impact to the business.
Cybersecurity is treated as a critical success factor for the business. It is not seen as an afterthought, a nagging task on a to-do list, or the necessary evil which must be tackled once a year
Rather, cybersecurity is viewed and treated by leaders and employees as equally critical to a business’s success as other key functions, including product development, customer service, operations, marketing, sales and other core capabilities. Cybersecurity and data privacy are treated as risks to be mitigated to help position the organization to deliver on its mission without disruption. For example, security compliant behavior is part of the organization’s performance management; the company rewards behavior that supports a strong security culture. This shows up as target KPIs in annual performance reviews and metrics dashboards to emphasize each employee has a critical role in maintaining the security of the organization.
While an organization’s people can be its greatest vulnerability in information security, employees can also serve as an organization’s greatest asset. To better protect an organization, it’s vital for leaders to recognize the critical role culture plays in overall security posture. More importantly, they must provide the tools and resources to build a ready, resilient and robust cybersecurity culture.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political and regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2025 FTI Consulting, Inc.
All rights reserved. fticonsulting.com
