In the digital economy, company boards have become accustomed to thinking of cyber security in terms of a technological arms race. We invest in ever-higher walls, more modern firewalls and more advanced artificial intelligence, believing that these make up our resilience.
This is a costly error of perception. The brutal truth, borne out by hard data from 2024, is that the most expensive defences remain helpless against a single click. The collapse of 158-year-old UK firm KNP Logistics Group, brought down by hackers who cracked one employee’s weak password, is not an anomaly but a harbinger of a new era of risk.
It is time to stop seeing employees as the weakest link and start treating them as the most important strategic line of defence. Investment in their awareness is not an IT cost, but a fundamental element of business strategy with the highest return on investment.
Global reports are merciless on this issue. Mimecast analysis indicates that as many as 95% of data breaches in 2024 were linked to human error. Verizon’s prestigious Data Breach Investigations Report (DBIR) states that human factors were a key component in 68% of all breaches, deliberately excluding malicious activity from this statistic to more accurately pinpoint the area where education matters most.
It is no coincidence that 74% of chief information security officers consider human error to be their biggest risk. Cybercriminals understand very well that fooling a human is many times easier and cheaper than breaking advanced security measures.
Therefore, phishing, an attack method based on manipulation, is responsible for more than 80% of all reported security incidents. In Poland, according to CERT Polska, phishing accounted for 40% of all recorded incidents, with criminals most often impersonating local platforms such as OLX or Allegro, which shows the precision and scale of the phenomenon.
Ignoring this fact generates astronomical, measurable costs. According to IBM’s Cost of a Data Breach 2024 report, the average global cost of a data breach has reached a record $4.88 million. Significantly, attacks that were vectored by phishing cost companies an average of $4.9 million, ranking them among the top most expensive incidents.
Translating this to the Polish reality, the average cost of a serious incident in industrial enterprises was PLN 1.7 million, and the average ransom demanded from companies in ransomware attacks exceeded PLN 10 million. However, these sums are just the tip of the iceberg, including losses related to downtime, loss of customers, regulatory fines and long-term reputational damage.
In this context, spending on security awareness training is proving to be one of the most profitable decisions a board can make. This is not an opinion, but mathematics. The same IBM report that points to millions of dollars in losses shows that organisations with well-implemented training programmes reduce the average cost of a breach by an impressive $1.5 million.
Independent analyses of KnowBe4 platform implementations have shown a return on investment (ROI) of between 200% and 400%, with full payback occurring on average after just 3.5 months. Case studies from financial and commercial companies confirm these figures, showing a reduction in the click-through rate of malicious links from 25% to just 4% or a 60% drop in successful email attacks, translating into an estimated saving of $2 million per year.
The key to achieving such results, however, is to abandon outdated educational methods. Annual, passive training based on PowerPoint presentations is an illusion of security that does not change the real behaviour of employees.
Effective education in the 21st century must be continuous, engaging and practical. Modern programmes are based on micro-learning – regular, short sessions to consolidate knowledge – and gamification, which transforms learning from obligation to motivating competition.
An absolutely key element is controlled simulations of phishing attacks, which, in a safe environment, allow employees to practice vigilance and build correct reflexes. The aim is not to punish mistakes, but to use them as moments of readiness to learn and to build a positive culture in which reporting a mistake is an act of responsibility.
The final argument that should put an end to any discussion about the legitimacy of training is the new legal order. The EU NIS2 Directive, implemented into Polish law, makes regular employee education a firm requirement.
Moreover, it places direct personal responsibility on board members to oversee cyber-security measures, including precisely training. Ignoring this obligation risks not only severe financial penalties for the company, but also personal consequences for executives.
The conclusions are clear. In a threat landscape where more than 90 per cent of attacks start with a human being, investing solely in technology is strategically negligent. Employees, equipped with the right knowledge and tools, cease to be the biggest risk. They become a distributed, intelligent early warning system – a human firewall that can detect and neutralise a threat before it reaches the technological layers of defence.
Investing in building this firewall is the wisest and most cost-effective decision any informed organisation can make.
