Today’s digital workplace makes cybersecurity a shared responsibility for all employees. As organizations strive to balance flexibility, security, and cost in their cybersecurity posture, one of the most overlooked yet critical components is communication: Specifically, how they talk to employees about their role in protecting the organization. 

'We are the last gatekeepers’

Even with the most advanced security infrastructure, humans remain the weakest link. Staff members are often the final line of defense against business email compromise, social engineering, wire fraud, and other approaches where human error allows the attackers in. Without proper education and communication, organizations are vulnerable to numerous risks that can impact their resiliency or lead to unexpected fines or operational halts.  

Encourage a culture of vigilance:

• Don’t rush, especially when handling emails or financial transactions, to avoid traps like wire fraud requests or fake login pages. Be skeptical of urgency, and hover over links to double-check if they seem legitimate.
• Trust, but verify – always double-check unexpected requests, even from known contacts.
• Pause and think before clicking links or downloading attachments.

Training is not optional – it’s foundational

Many organizations consider security awareness training a “check the box” item, and investing in cybersecurity training, tools, and protocols may seem costly upfront. But the potential return on investment is undeniable: Per a 2024 IBM report, among surveyed organizations that had a data breach, employee training reduced the average breach cost by nearly $260,000.

Cybersecurity training should be a standard part of onboarding and ongoing professional development. Additionally, organizations should:

• Encourage proactive learning: Employees shouldn’t wait for IT to mandate training.
• Discourage unauthorized tech adoption: New tools should be vetted and approved by IT to avoid security blind spots.
• Promote best practices: For example, password managers help store passwords securely, and requiring additional forms of authentication when signing into systems, networks, and applications (i.e., multifactor authentication) helps lower the risk of unauthorized access if an employee’s password is compromised.

Bridging the generational cyber gap

Keep in mind that the modern workforce spans multiple generations, each with varying levels of digital fluency and cybersecurity awareness, and this generational delta can create gaps in understanding and behavior. Speaking broadly, younger generations may be more tech-savvy but may still underestimate risks. Conversely, older employees may be more cautious but less familiar with evolving threats and advanced security measures that have now become an expected standard across industry to protect their organization.

Clear, inclusive communication is key. Tailor your cybersecurity messaging to meet employees where they are. Use relatable examples, avoid jargon, and reinforce that everyone plays a role in keeping the organization secure. Once staff understand the risks, it becomes common sense for them to adopt good security practices.

The risks of mixing personal and professional

When individuals mix personal and professional accounts, they are unknowingly introducing risks to their professional organizations that can have significant ramifications. Warn employees against:

• Using the same passwords for both professional and personal accounts: Personal accounts employees have on websites may have already been compromised, and hackers can use this information to target their professional credentials, as it can be very easy to find out someone’s professional email. In the IBM report, 16% of the data breaches stemmed from stolen or compromised credentials – resulting in an average $4.81 million financial impact per breach. 
• Mixing professional and personal data stored on systems: IT will not be able to manage corporate data stored on systems they do not manage, and personal data stored on corporate systems can be discoverable.

Additionally, educate staff against installing unauthorized software – or make it so that IT administrators are the only users authorized to install software, and educate staff on why that is necessary. A compromised account that has administrative privileges to systems or applications is a “golden ticket” for an attacker to cause additional harm. Staff who have administrative rights to their machine are more susceptible to infecting their machine with malicious software that can infect other systems on the network and halt business operations. 

Final thoughts: Make cybersecurity a conversation, not a command

Talking to your staff about cybersecurity should be an ongoing, open dialogue that fosters awareness, accountability, and adaptability. When employees understand the “why” behind the policies, they’re more likely to embrace the “how.” Employees should be empowered to ask questions and take ownership of their digital hygiene. Don’t assume IT will catch everything – cybersecurity is a team sport.

CohnReznick's Cybersecurity teams work cohesively with IT and security leadership teams and other key business stakeholders. From assessments to remediation, we help business owners close gaps in cybersecurity awareness so that all employees can better understand their role. By making cybersecurity a shared responsibility and part of your organizational culture, you not only reduce risk – you build trust, resilience, and a stronger digital future.