Why your employees are still your biggest security risk

Every cybersecurity breach starts somewhere, and more often than not, it starts with a person. A distracted employee clicks a phishing link during a busy Monday morning. An office manager opens an attachment that looks like an invoice. A sales rep enters credentials on a convincing fake login page.

According to Verizon’s 2024 Data Breach Investigations Report, the human element is involved in roughly 68% of all breaches. For small and medium businesses across Europe, this statistic should be a wake-up call — not because employees are careless, but because most of them have never been taught what to look for.

From unaware clicks to human firewall: what security awareness actually means

Security awareness training is not a one-off presentation with a stale PowerPoint deck. At least, it shouldn’t be. The concept of turning employees into a “human firewall” means building a workforce that can recognise, report and resist social engineering attacks as a reflex — not just as a checkbox exercise.

For Italian and European SMBs, this shift matters enormously. Under the NIS2 Directive, which came into full effect in October 2024, a much wider range of companies now face mandatory cybersecurity obligations. These include supply chain security requirements, incident reporting duties and — critically — workforce training. Non-compliance can result in fines of up to €10 million or 2% of global turnover.

The message from regulators is clear: technical defences alone are not enough. You need people who know what they are doing.

What a modern programme looks like

Effective security awareness programmes share a few common traits that set them apart from outdated approaches:

Continuous micro-training rather than annual seminars. Short modules delivered monthly or even weekly keep security top of mind without disrupting productivity.
Simulated phishing campaigns that test employees in realistic scenarios. When someone clicks a fake phishing email, they receive immediate feedback explaining what they missed.
Role-based content that speaks to different risk profiles. A finance team handling wire transfers faces different threats than a warehouse manager using shared tablets.
Measurable outcomes tracked over time. Click rates on simulated phishing, reporting rates and time-to-report all provide concrete evidence of improvement.

Research from KnowBe4 shows that organisations running consistent training programmes can reduce phishing susceptibility from around 33% to under 5% within 12 months. That is a dramatic reduction in risk for a relatively modest investment.

The real cost of ignoring human risk

Many SMB owners still think of cybersecurity as a technology problem — something you solve by buying a firewall or antivirus licence. But the numbers tell a different story.

IBM’s Cost of a Data Breach Report 2024 puts the average breach cost at €4.5 million globally. For smaller companies, the figure is lower in absolute terms but often more devastating proportionally. A ransomware attack that locks down operations for two weeks can push a 50-person company to the edge of closure.

In Italy specifically, the Clusit 2024 report documented a 65% increase in significant cyber incidents compared to the previous year. SMBs in sectors like manufacturing, logistics and professional services have become prime targets, often because attackers know these companies invest less in security training.

The GDPR adds another layer of financial exposure. Data protection authorities across the EU have increasingly issued fines for breaches caused by inadequate staff training, arguing that a company cannot claim to have implemented “appropriate technical and organisational measures” if its employees cannot recognise a basic phishing email.

Common objections — and why they don’t hold up

“We’re too small to be a target.” Attackers use automated tools that scan for vulnerabilities regardless of company size. If your email domain exists, you are a target.

“We already have IT handling security.” Your IT team cannot intercept every phishing email or prevent every social engineering call. The person answering the phone needs to know what a pretexting attack sounds like.

“Training is too expensive and time-consuming.” Cloud-based platforms now offer enterprise-grade awareness training at costs that are accessible even for businesses with 20 employees. Most programmes require less than 15 minutes per month from each staff member.

How to get started without overcomplicating things

Building a security-aware culture does not require a massive budget or a dedicated security team. Here is a practical starting point for any European SMB:

Run a baseline phishing simulation to understand your current exposure. Several platforms offer free initial assessments.
Choose a training platform that supports multiple languages, including Italian, and aligns with EU regulatory requirements. Look for GDPR-compliant providers with data centres in Europe.
Start with the fundamentals: phishing recognition, password hygiene, safe browsing, and how to report suspicious activity. Build complexity over time.
Involve leadership visibly. When the CEO or managing director participates in training, it sends a message that security is everyone’s responsibility — not just IT’s problem.
Review and adapt quarterly. Track metrics, adjust scenarios to reflect current threat trends and celebrate improvements with the team.

The transition from unaware clicks to a functioning human firewall is not instant. It takes consistency, realistic training and genuine commitment from leadership. But for European SMBs navigating an increasingly hostile threat landscape and tightening regulatory demands, it is no longer optional — it is one of the most cost-effective security investments you can make.

Need support on this topic? Contact us for a free consultation — let’s assess your company’s situation together.

Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.