Your Biggest Security Risk Is Your Employees

Your biggest security risk is not a Russian hacker. It is the well-meaning accountant who is about to wire $180,000 to a fraudulent vendor because the email looks like it came from you.

Every conversation I have about security with an SMB owner starts in the wrong place. They want to talk about firewalls. They want to talk about endpoint protection. They want to talk about whatever the cybersecurity industry's marketing budget told them to be afraid of this quarter. Those things matter. They are not the thing.

The thing is that the overwhelming majority of breaches at companies your size start with a human doing something reasonable that turns out to be wrong. The phishing email looked legitimate. The password that got reused on a personal account that got dumped. The "I'll just download this real quick" decision. The "she's been with us for years, of course she has access" oversight. The "let me forward this to my personal email so I can work on it from home" habit.

These are not bad employees. These are good employees. The same loyalty and helpfulness that make them good at their jobs also make them a soft target. A bad actor knows this better than you do.

Your breach is going to look nothing like the news coverage. The news coverage describes nation-state APTs and ransomware crews. Your breach is going to be less interesting than that. Someone is going to send your bookkeeper an email that appears to come from a vendor you actually use, with an invoice attached that looks like one you would actually pay, asking the bookkeeper to update the routing number on file because the vendor switched banks. The bookkeeper, who is conscientious and wants to ensure invoices are paid on time, updates the routing number. Two weeks later, you wire $47,000 to a numbered account in another country.

Nobody hacked anything. Nobody broke through a firewall. Your endpoint protection had nothing to do with it. The breach was a human reading an email and doing exactly what they were trained to do, which is to make sure vendors get paid.

Most "security awareness training" is theater. It is a 30-minute video that your employees watch annually so the auditors can see that you ran a program. The video is forgettable. The phishing examples it shows are 2014-era Nigerian prince stuff. The actual phishing your employees will face is custom, plausible, and aimed at exactly the kind of decision they make every day. Annual training does not prepare anyone for that.

The reason your employees are your biggest risk is not that they are careless. It is that the systems around them are designed to fail open. A wire transfer for $47,000 should not be a single bookkeeper's decision to make based on an email. A change to a vendor's banking information should require a phone call to a known number. A new vendor in the accounts payable system should require approval from someone other than the person who set them up. A privileged account should not be inherited by whoever happens to be in the role this quarter. None of these is a training problem. They are process problems. The employee is just the person at the keyboard when the process fails.

Earlier in my career, I might have agreed with the CEO who says, "We trust our people, we don't need that kind of overhead." Now I know that trust is exactly the thing the attacker is counting on. The whole game is to find a process that depends on someone doing the right thing under time pressure, and to apply just enough pressure that they do the wrong thing instead. You cannot train your way out of that. You have to redesign the process so that the wrong thing is not possible in the first place.

Identify the high-stakes decisions in your business that depend on a single person doing the right thing under email pressure. Wire transfers. Vendor banking changes. Privileged account creation. Customer data exports. Put a second human in the loop for every one of them. Phone call verification for anything financial. Two-person approval for anything that touches customer data at scale. This is not bureaucracy. It is the recognition that the attacker's whole plan depends on you not having it.

Run actual phishing simulations, not annual videos. Pay a service to send realistic phishing emails to your staff every month, and measure who clicks. The point is not to punish people who fall for it. The point is to find out which of your processes is most vulnerable and harden it. If half your accounts payable team clicks the simulated vendor banking change email, that is operational intelligence. Use it.

And minimize the surface area. Most employees have access to more systems than they need for their jobs. Audit that. Remove access that is not actively needed. When someone changes roles, change their access on day one. When someone leaves, change their access before the exit interview ends. The smaller the blast radius of any individual compromise, the more bad days you avoid.

Your employees are not the enemy. They are the people the enemy is targeting. The job is to make their targeting less effective.

Build the process so the wrong answer is hard to give. Then keep teaching them to recognize what wrong looks like. In that order.