The first line of defense against cyberattacks? Your employees

It seems as if every time you turn on the news, there’s a huge story about data breach. It costs companies and consumers, on average, $3.62 million for each and every individual breach. That’s not total — that’s just the average. For companies like Target, or Uber, or Equifax, the cost in real dollars and brand diminishment is far, far more. But hackers aren’t just after Fortune 100 companies, they’ve come after politicians via phishing attacks, installed malware on millions upon millions of computers, and even the U.S. government used the Stuxnet virus to remotely disable Iranian nuclear facilities. It’s the front line of Russian misinformation campaigns, and there’s evidence Russia’s developing it as the first line of attack in active conflicts.

All that’s to say cyberattacks come in all shapes, sizes and packages and wreak untold devastation depending on that particular attack.

To combat these omnipresent threats, companies spend a ton of money on antivirus software, enterprise monitoring solutions and outsourcing security to experts. Consumers have turned to military-grade encryption protocols via password managers like LastPass. Entire sections of consumer publications like Wired are dedicated to cybersecurity and cyberthreats. But one of the things so much of the solution-oriented approach to this problem forgets is that the first, and often most important, line of defense against cyberattacks isn’t necessarily a bullet-proof firewall or military-grade monitoring software — it’s far more simple than that.

It’s your employees.

Just the other day I received an email from an Equifax.com email address saying there was a secure message waiting for me in my security center, and to click the embedded link to download and read it. It had an Equifax logo, all the proper documentation in the footer of the email… it looked legit. If I wasn’t so damned paranoid, I probably would have clicked on it without giving it a third glance. It looked like the real deal and came from what appeared to be a real email address. It got through gmail’s filters to boot. But because I am paranoid about security threats, I signed in to Equifax on my own to check the message center and saw there wasn’t anything there for me. Also, my spidey-sense was aroused anyway because it seemed totally off-base that Equifax would want me to download something from an email in order to read a secure message. I immediately reported it as phishing to Google and deleted it from my inbox without clicking on or downloading anything.

None of that is to give myself a public pat on the back. That’s just showing how far we’ve come from “Nigerian princes” asking us for credit card information over email. The phishing attacks on lowly consumers are so dang advanced a mobile development professional who handles app security all the time was tempted to click on something that had all the trappings of the real. Now, I wasn’t actually close to clicking it because the message did seem off, but it goes to highlight just how on guard you have to be. All the time.

Using the highest-possible-grade security for your digital interactions is beyond important. Doing data and security audits with top-notch security consultants are highly encouraged. Hiring enterprise monitoring solutions and installing the best antivirus software and building a bullet-proof firewall are all important steps in keeping your and your client and your partner’s data secure. But if you’re not training your employees on what to look out for, instilling in them a deep sense of skepticism in everything they encounter or read, or teaching them how to safely navigate the fraught cybersecurity landscape we’re in today, you’re doing them and your company a disservice.

Your employees are your first line of defense against cyberattacks; invest in training them as much as you invest in software or enterprise solutions.

Because you need all the help you can get.