IT Solutions - Nov 6, 2025

Cybersecurity: The human firewall – From the CEO to the shop floor

Modern cybersecurity goes far beyond technology. It’s a holistic approach that brings together systems, processes, organisational structures and—crucially—people. Employees play a vital role in protecting data and access points across the business. That’s the view of Mathias Schick, Business Manager Security at Bechtle—and the statistics back it up. Depending on the source, between 70 and 90 percent of cyberattacks target people directly, often through tactics like social engineering, phishing, spear phishing or CEO fraud.

Written by

Stefan Maurer

Deputy Director Corporate Communications and Brand Management

E-Mail: stefan.maurer@bechtle.com

Are employees the biggest security risk, Mr Schick?

I wouldn’t put it that way. In fact, well-trained and security-aware employees are a key pillar of effective cyber resilience. That said, cybercriminals tend to target the weakest link in the chain—and that’s often the individual user. This creates a dilemma for modern cybersecurity because when technical safeguards are so effective that only a handful of malicious messages get through, employees may lack the routine needed to spot them. And that’s precisely when attacks succeed—because the psychological triggers in the digital world are the same as in real life—curiosity, pressure, fear, and narcissism.

How do we support employees?

By providing regular training and raising awareness of the risks posed by cyberattacks. Artificial intelligence, for instance, is opening up entirely new dimensions that many people aren’t even aware of—such as CEO fraud involving deepfake videos or spoofed phone calls. It’s essential that training is tailored to each employee’s level of knowledge, because not everyone starts from the same point. But even more important is letting go of the idea that IT security is solely the responsibility of the tech team. Cybersecurity is a collective responsibility that must be embedded across the entire organisation.

Let’s talk about awareness training. What should companies focus on?

From my perspective, there are three key points. First, continuity is crucial. Building awareness isn’t a one-off project—it’s an ongoing process. Second, tailoring the training to specific target groups makes a real difference. An administrator faces different risks than someone working on the production line, so the content needs to reflect that. And third, relevance and practical application are essential. Training should be grounded in real-world threats and closely tied to employees’ day-to-day work.

Awareness training should be grounded in real-world threats and closely tied to employees’ day-to-day work.

Mathias Schick, Business Manager Security

How can training be embedded into a broader security strategy?

By treating it as part of a company-wide security culture. That means fostering a positive approach to mistakes—not fear. Employees need to feel encouraged to report errors and incidents without hesitation and there must be no negative consequences for doing so. On the contrary, it should be recognised as a strength when someone speaks up and helps uncover potential issues.

So psychological factors play a role, too?

Absolutely—they’re hugely important, and everyone working in cybersecurity should remain mindful of them. One thing is clear, companies rely on their people to build resilience. Without them, it simply doesn’t work.

You mentioned a security culture. Who’s responsible for driving it?

Ultimately, it has to come from the top. Management plays a key role, not only because of the growing regulatory demands around cybersecurity, but also because security needs to be firmly anchored on the leadership agenda. It’s a cultural issue, a regulatory obligation, and a strategic business priority. After all, digital transformation and new digital business models can only succeed if they’re secure. And that requires the full attention of senior leadership.

This post was published on Nov 6, 2025.