When you think about the way your organization interacts with data and IT assets, you have two components: machines and people. At the machine layer, your network, IT appliances, endpoints and other systems collect, store and process data. But it’s your employees who control or impact these processes.

The human layer is, essentially, your people — driven by their behaviors, actions, activities, communication patterns and habits.

The decisions that employees make as part of their daily work create a large risk surface. This surface grows even more expansive as your workplace embraces remote and hybrid work policies and your workforce can access sensitive data from anywhere and at any time.

Consider these examples:

• An Australian hedge fund went out of business in 2020 after a phishing email sent to a high-ranking executive resulted in millions of dollars’ worth of fraudulent invoices paid by the company.
• A website host’s customer service employee who clicked on a spear phishing email gave cyberattackers access to customers’ domain records, resulting in redirects to websites that displayed profane messages.
• A consumer-facing company’s IT delay in patching a known vulnerability in a web framework resulted in compromised personal data for hundreds of millions of U.S. consumers.

All these are examples of real-world incidents that could have been prevented at the human layer.

A holistic approach to cybersecurity has three pillars: people, processes and technology. These elements are equally important to improving and maintaining your organization’s security posture. But the human layer is often your first line of defense — and addressing this layer is the first step to minimizing risk.