Your Employees Are Not the Weakest Link in Cybersecurity

An analysis of cyber incidents and discussions with business leaders reveal challenges that remain hidden behind employee awareness and training programmes. Let’s explore four key realities that challenge the conviction that human employees are the weakest link.

1. Cybersecurity starts at the top

Leadership sets the tone

Not prioritising cybersecurity, or failing to allocate the right resources, is a challenge for organisations of all sizes. When management does not embed digital resilience into decision-making, IT security initiatives remain underfunded, reactive, or siloed.

Without proactive investment, organisations risk costly regulatory penalties and operational disruptions. Companies with a high level of digital resilience maturity prioritise cybersecurity, ensuring:

• A dedicated budget for cyber initiatives
• Board-level oversight of digital risks
• Security embedded in project planning—not an afterthought

Cyber leaders cannot enhance the cyber maturity of employees if leadership fails to prioritise it. If employees are the symptom of poor resilience, leadership inaction is often the cause.

2. Supply chain cybersecurity: A hidden weakness

Are your partners putting you at risk?

One of the biggest cybersecurity risks today comes not from employees but from supply chain vulnerabilities. Attackers are increasingly targeting software providers, IT service companies, and even cybersecurity firms.

The 2024 breaches of security providers CrowdStrike and KnowBe4 highlight a harsh truth: Even companies investing heavily in cybersecurity can be compromised through third-party dependencies.

Organisations need to conduct cybersecurity due diligence on their technology suppliers by asking:

• Do our vendors comply with security standards like ISO 27001 or SOC 2?
• How do they verify and secure software updates?
• Do they embrace Zero-Trust and Security-by-Design principles?

It’s no longer enough to assume that your vendors are secure—you need proof.

3. Bridging the cyber language gap

Can your leaders speak ‘cyber’?

Cyber resilience is now a boardroom priority, but many top executives struggle to communicate cybersecurity risks in business terms.

When leaders understand cybersecurity fundamentals, they:

• Ask the right questions
• Challenge assumptions
• Make informed decisions instead of relying solely on IT experts

With regulations like DORA, NIS2, and the EU AI Act holding boards accountable for cybersecurity, leaders need to speak cyber to ensure compliance, avoid penalties, and navigate incidents effectively.

Do your executives undergo cyber awareness training? Do you test their ability to respond during simulated attacks?

4. Humans aren’t the weakest link—behaviours are

Blame the system, not the people

We don’t blame pilots for turbulence—we equip them with training, protocols, and automation to handle it safely. The same should apply to employees in cybersecurity.

Employees don’t intentionally click malicious links or mishandle data; they react to their environment and cognitive biases. Therefore, security awareness training should:

• Move beyond one-size-fits-all approaches
• Be immersive and real-world relevant
• Use behavioural science to shape security-conscious habits

Just as marketing tailors messaging to different audiences, cybersecurity training should adapt to employees' roles and risk profiles.

Conclusion: Cybersecurity is a collective responsibility

Building a digitally resilient organisation requires moving beyond the outdated belief that humans are the weakest link. Instead, businesses must:

• Prioritise cybersecurity at the leadership level
• Recognise and mitigate supply chain risks
• Equip executives to communicate cyber risks effectively
• Shape security-conscious behaviours instead of blaming individuals

When cybersecurity becomes a shared responsibility, organisations shift from reacting to cyber threats to proactively defending against them.

More info?

Check our online management programme Cyber Resilience for Business Leaders or get in touch with Annelies Claeys. She will be happy to answer all your questions: annelies.claeys@vlerick.com or +32 (0)9 210 98 04.