The Most Underrated Cybersecurity Defence: Empowering Employees
- Vinod Sharma Pathak
- May 10
- 3 min read
In today’s threat landscape, I believe one of the most underrated cybersecurity defences is employee training. We should train our people to identify and react to social engineering attacks. With the evolving cybersecurity landscape, we’re quick to turn to high-tech solutions like AI-based detection systems, next-generation firewalls, and automated tools. But in my opinion, one of the most powerful yet underrated defences isn't even a tool or platform. It’s training your people and equipping them with the skills and awareness to recognise and avoid phishing, vishing, and smishing attacks.
Technology can block many threats, but it can’t stop an employee from clicking a convincing phishing link unless they know what to look for.
Why Phishing, Vishing, and Smishing Still Work
Despite being among the oldest tricks, phishing (fraudulent emails), vishing (voice-based scams), and smishing (phishing via SMS or messaging apps) continue to be devastatingly effective. Why? They take advantage of human behaviour—not weakness in the system.
For example, a smishing message might say:
“Your NZ Post package is held. Pay $3.99 here to release it: [fake link].”
According to the 2024 Verizon Data Breach Investigations Report, over 31% of breaches involved phishing. The FBI’s Internet Crime Report 2023 revealed that scams involving compromised business email accounts led to reported losses of over $2.9 billion. Meanwhile, Proofpoint’s 2023 State of the Phish Report notes that smishing is now widespread, with nearly 80% of organisations encountering such attacks.
The Cyber Threat Report 2023/2024, released by NCSC-NZ (National Cyber Security Centre), asserts that most of the events logged by the NCSC impact people and small to medium enterprises and organisations. Cyber attackers still exploit people's growing dependence on technology in their daily lives, as well as a lack of basic cybersecurity precautions. The most common types of cyberincidents include unauthorised access, phishing, credential harvesting, scams, and fraud.
Figure 1. All 2023/2024 Incidents handled by NCSC through general triage process, by category
These attacks work because they create urgency, fear, or curiosity, always prompting quick reactions before rational thinking takes over.
The Case for Human-Centric Defence
From what I’ve seen in both small businesses and larger organisations, employee training is often treated as a checklist exercise, if it’s done at all. Many assume that cybersecurity is “the IT team’s problem” or that one-off training during onboarding is sufficient. It isn’t.
A well-meaning employee, caught in a busy moment or under pressure from a persuasive message, may unintentionally trigger a full-scale breach. Technology helps, but if your people don’t know how to spot a red flag, the damage is already done.
What Effective Training Looks Like
I believe that truly effective training:
The programme goes beyond compliance by engaging people with real-world scenarios and consequences.
The programme includes phishing simulations that help users learn by doing.
It is ongoing, not once a year, but part of the regular rhythm of the company.
Fosters a culture of openness so employees feel safe reporting suspicious emails, texts, or calls.
Tailoring content to different roles also helps. For instance, attackers frequently target the finance and HR teams, which require extra vigilance.
It’s Time to Shift the Narrative
We need to stop thinking of employees as weak links and start empowering them as our first line of defence. In my experience, effective training and understanding of security practices enhance staff's alertness, confidence, and proactiveness.
Cybersecurity awareness isn’t about turning everyone into a security expert. It’s about giving people just enough knowledge to stop, think, and ask.
Final Thoughts
Technology will always be essential, but it’s only one side of the cybersecurity equation. On the other side, people are just as important and often overlooked.
Let’s make employee training a core part of every cybersecurity strategy, not an afterthought. What will be the return on that investment? There will be fewer breaches, increased resilience, and a workforce that is truly empowered.
References
Verizon. 2024 Data Breach Investigations Report. https://www.verizon.com/business/resources/reports/2024-dbir-data-breach-investigations-report.pdf
Proofpoint. 2023 State of the Phish Report. https://assets-global.website-files.com/615d3b1833fa9330d4c96b6a/643d7471d2826f4534113baa_State%20of%20the%20Phish%202023%20SkyriverIT.pdf
FBI IC3. Internet Crime Report 2023. https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf
NCSC. 2023-2024 Cyber Threat Report. https://www.ncsc.govt.nz/resources/ncsc-annual-cyber-threat-reports/2024-web
Comments