Culture & Cybersecurity • Article
No firewall can protect against a wrong click
⏱️ Estimated reading time: 7 minutes
True resilience starts with people — and with the culture that sustains secure day-to-day decisions.
However, the most effective attacks exploit the weakest link of all: human behaviour. And that is why true resilience starts with people.
The fallacy of the “cyber team”
By delegating digital security only to the “IT department”, organisations forget one essential fact:
malicious actors are already counting on that internal division.
There is no need to hack servers. A single well-crafted email is enough, a file shared in the wrong group, a link shared in an SMS or WhatsApp message, or a weak password used by someone with good intentions.
Risk does not exist only in systems. It is present in our routines, habits, and even in the small distractions of everyday life.
Cybersecurity starts with culture
Truly secure organisations share one common trait: cybersecurity is embedded in the culture, not just in the systems.
- An employee who questions a request that is out of the ordinary.
- A manager who asks for proof before approving an urgent transfer.
- A team that knows what to report and when.
None of this depends on firewalls or any other technology.
It depends on awareness. Training. Leadership.
Real examples of human failure
- Case 1: a retail company lost 3.4 million euros after a phishing email sent to the CFO. The message imitated the CEO and requested an urgent transfer.
- Case 2: an employee accidentally shared a link with administrative permissions in a company WhatsApp group.
- Case 3: a sales assistant, with no malicious intent at all, used the same password across different platforms — and opened the door to an attack that enabled devastating lateral movement.
All these scenarios have one thing in common: it was not the firewalls or the technology that failed. It was people who were not prepared.
What each person can (and should) do
For all employees:
- Question urgent and unusual messages; urgency forces quick reactions without thinking.
- Never share passwords or any other credentials (e.g. access cards; tokens) — not even with colleagues; a good intention today is a risk for both the organisation and the employee.
- Report suspicious behaviour without fear, using the appropriate channels.
For leaders and managers:
- Reinforce the reporting culture; it is not enough just to set direction, it is necessary to know what is happening.
- Ensure that training is practical, not generic — exercising real and challenging scenarios increases the resilience of people and, consequently, of the organisation.
- Lead by example: do not click, do not ignore alerts, do not make exceptions easier, do not request exceptions that may inadvertently increase the organisation’s exposure to risk.
For HR and directors:
- Include cybersecurity in onboarding plans, monitor the application of practices, reinforce and raise awareness throughout the contractual relationship, and integrate cybersecurity practices into role changes or offboarding processes.
- Map behavioural risks by role, with particular attention to functions with privileged access.
- Invest in continuous digital literacy programmes — training, online workshops, following sector news, subscribing to newsletters and other information from reputable entities on a regular basis help us keep up with digital change, new risks and new challenges.
Security starts with training
Cybersecurity is not something you buy. It is built through knowledge, responsibility and collective commitment.
At Behaviour, we believe that Best Practices exist for a reason: to protect, empower and make people and organisations more resilient.
Courses such as ISO 27001, CISSP, NIS 2 or DORA Compliance Lead Manager are not just training courses or certifications.
They are opportunities to change the mindset of teams and prepare all parties, not only technicians, to face risks with confidence and clarity.
Security is not a role. It is an attitude.
If there is one thing the last few years have taught us, it is that no technology is enough when culture fails.
The cybersecurity of the future will not be built only on firewalls, encryption or AI. It will be built on aware people, prepared teams and secure decisions, even when supported by technology, but validated by people.
Because in the end, the right question is not “who is responsible for security?”.
The right question is: “how are we all contributing to it?”
Related Behaviour training
Author: Behaviour
Published on: 27 October 2025
Copying or reproducing this article is not authorised.