Cybersecurity's Weakest Link: The Untrained Employee

When we talk about cyberattacks, we often imagine expert hackers executing complex schemes to infiltrate the corporate networks of large enterprises. And while that threat is very real, today, most security breaches originate from something much more common — and often underestimated: the lack of cybersecurity awareness and training among employees, regardless of their level or department within the organization.

In Mexico, according to a study by Kaspersky, 76% of people do not know what ransomware is, 56% are unaware of phishing, and 21% don’t understand what the term malware refers to. These are, in fact, some of the most common threats organizations face today. Cybercriminals continue to exploit them actively, taking advantage of widespread lack of knowledge to target employees directly, whether in large corporations or small businesses, hoping that a single impulsive click on a suspicious link or the installation of a fake update will grant them access to internal systems.

This reality is compounded by a widespread poor practice among Mexican employees, as revealed in Kaspersky’s recent Digital Language study: nearly half of them (48%) use their corporate devices to access personal social media accounts, shop online, or log in to their personal banking. Another 43% admit to using artificial intelligence platforms from their work computers, and 35% connect to public or open Wi-Fi networks — unknowingly providing cybercriminals with multiple entry points, without fully understanding the risks involved.

For an employee working, for example, in marketing or human resources, these behaviors might seem harmless, as they may not be familiar with the real risks of clicking on a link received through a social network accessed from a work computer. However, these actions represent not only an individual risk but also a latent vulnerability that can compromise an entire company in a matter of seconds, resulting in financial losses, theft of confidential information, complete operational shutdown, and reputational damage.

The situation can be completely different if that same employee receives prior training on basic cybersecurity topics, a task that is now essential for any company, regardless of its size, industry, or level of digitalization, if it truly wants to protect itself against increasingly sophisticated, targeted, and persistent threats. For such training to be effective, companies must also clearly communicate their cybersecurity policies, protocols, and specific expectations for each employee.

Unfortunately, the same Kaspersky study shows that 31% of Mexican workers are unaware of their company's security policies. Even more concerning, 12% don’t know whether their employer has any cybersecurity policies at all. Meanwhile, 19% are aware that a policy exists but are unfamiliar with its contents. Altogether, nearly 4 in 10 employees in the country are unclear about what their company expects from them to protect the corporate environment and prevent security incidents.

Let’s think of a house: we want it to be secure, but no system can protect it if people leave the doors and windows open when they leave. The level of security of any structure will always match the strength of its weakest point. That’s why, beyond informing employees about cybersecurity policies, it is essential for organizations to invest continuously in digital education.

What should be the guiding principle for training? Simple: if someone has access to a computer connected to the corporate network, they must be trained, from the person at the front desk to the highest-level executive. No one is exempt from being the target of an attack or scam attempt, so everyone must know how to react when facing a risk, no matter how small it may seem.

It is important to remember that every company needs a cybersecurity strategy that includes three key elements: threat intelligence, which allows organizations to anticipate risks, identify attack patterns, and make informed decisions to strengthen defenses before an incident occurs; a cybersecurity solution suited to the company’s size, operations, and sector, to ensure comprehensive protection of systems, data, and devices; and, as I have explained, continuous employee training across all levels, turning them into a true, active line of defense.

This last element must not be underestimated, especially considering that cybercriminals understand something many organizations have yet to fully realize: why spend time, money, and resources trying to break into highly protected systems, when they can simply trick an unsuspecting employee who checks social media or downloads a file without verifying its source from their work computer?

It’s true that an untrained employee can be the weakest link in a company’s cybersecurity chain. However, with the right information and a culture of ongoing prevention, that same employee can become the first line of defense against an attack. Prioritizing digital education is a strategic investment that empowers people, protects the organization, and strengthens every point of contact within the corporate environment. Because when each employee understands their role in digital security, the company stops being vulnerable and becomes a truly cyber-resilient organization.