There are different points of view regarding the human contribution to cyber threats. Finding the right balance between training and additional technology depends on the organization and if there have been any ongoing security threats. My number one priority would be to make sure that employees are taking the correct steps and know how to spot malicious emails. Besides the “mandatory” training, create real-world attempts and see how they respond.

Human behavior is something that remains one of the hardest things to predict, and it’s often the weakest link within cybersecurity. That is why it is so important to invest in continuous training and education regarding cybersecurity. A large portion of the budget should be dedicated to creating ongoing and comprehensive security awareness training programs. Training that focuses on real-world scenarios, such as phishing attacks and social engineering examples, to make employees more aware of potential threats. There are different types of training available, which make them not only interactive but engaging, to make sure employees are actually learning something new. The type of training would depend on the type of role and responsibilities employees have, not just a one-size-fits-all solution.

Another part of the budget would go to making sure that the correct tools and security measures are in place to protect ourselves. Are the employees using strong and safe passwords? Making sure multi-factor authentication is mandatory, as this remains an effective way to strengthen security. It is beneficial in reducing human error by requiring the employees to verify access permissions. It is just another added layer for security. It would also be important to invest in tools to maintain network security.

Finding the right balance between training and additional cybersecurity technology depends on the organization and whether there have been any ongoing security issues. My number one priority would be to make sure that employees are taking the correct steps and know how to spot malicious emails. Besides the “mandatory” training, create real-world attempts and see how they respond. This will help evaluate or identify any gaps. Training and technology should be continuously updated, as threats are changing daily.