The 3-2-1 Backup Strategy: How Not to Lose Your Data
The 3-2-1 backup strategy: three copies, two media, one offsite. Learn how to protect data from failure, human error and ransomware.
Read
Employee security is the most common and most exploited weakness in cyber defense, because attackers know it is easier to deceive a person than to break through a well configured firewall. Most serious incidents today begin with human error: a click on a phishing link, the use of a weak password, or the disclosure of information during a fraudulent phone call. That is why the greatest gains in security come from combining regular training, clear rules and technical controls that limit the damage when a mistake does happen.
Our solution
Cyber protection for companies - complete protection for your people, data and systems. You do not have to do it alone; we handle it for your company. Request a free assessment.
Why people, not technology, are the weakest link
Technical protection has improved significantly in recent years. Firewalls, antivirus systems, network segmentation and intrusion detection systems have become standard, so it is often no longer worthwhile for attackers to look for a flaw in the software. It is much faster and cheaper for them to target the people who use that software. A single convincing email can bypass months of effort invested in technical defenses.
The reason is simple: people are under pressure, they rush, they trust authority and they want to be helpful. Attackers do not see these traits as flaws, but as tools. An employee who receives a message that appears to come from the director with an urgent payment request will rarely stop to verify it, and it is exactly this reaction that most social engineering attacks rely on. For this reason, employee security is not a "soft" topic or a formality to satisfy an audit, but the foundation on which everything else rests.
How attackers actually target employees
In practice, attacks on people come down to a few proven patterns worth recognizing:
- Phishing - mass fraudulent emails that imitate banks, suppliers or internal systems and prompt recipients to reveal passwords or open infected attachments.
- Spear-phishing - a targeted variant in which the message is tailored to a specific person, using real department names, colleagues' names and context taken from LinkedIn or the company website.
- Business Email Compromise (BEC) - a fraudulent request for an urgent payment or a change of bank account, seemingly sent by management or a known supplier.
- Vishing - phone calls in which the attacker poses as IT support or a bank and asks for a code, a password or remote access to a computer.
- Malicious attachments and USB devices - documents with macros or "lost" USB sticks left in a parking lot for a curious person to plug in.
The common thread across all these methods is that they do not attack the system, but trust and habit. That is why they cannot be solved simply by buying a new tool.
What employee security covers in practice
Many companies in Mostar, Sarajevo and across the wider region reduce employee security to a one-off presentation once a year. That is better than nothing, but far from enough. Real resilience is built through several layers that complement one another.
1. Regular and practical training
Training must be short, regular and tied to real situations, rather than a two-hour lecture that everyone forgets by lunchtime. A better approach is short modules throughout the year, accompanied by simulated phishing campaigns in which the company itself, with management's permission, sends harmless test emails and measures who clicks. The goal is not to punish employees, but to give them the chance to make mistakes in a safe environment and learn to recognize the signs of fraud.
2. Clear and workable rules
Policies that no one reads protect no one. Employees should be given a few clear, easy to remember rules: how to verify a payment request before executing it, who to report a suspicious message to and how, what may and may not be installed on a work computer, and how to handle confidential data. The rules must be written in language that a person without an IT background can understand.
3. A culture where it is safe to report a mistake
The most dangerous thing is not the mistake itself, but hiding it. If an employee fears the consequences, they will stay silent about clicking a suspicious link, and those few hours of silence are often the difference between a minor incident and full compromise. Management should make it clear that prompt reporting is encouraged and will not be punished, because this is exactly how genuine employee security is built.
4. Technical controls that reduce damage
Since mistakes remain inevitable, defenses must assume that someone will be deceived one day. That is why the following technical measures are just as important as the training itself:
- Multi-factor authentication (MFA) - even if a password leaks, an attacker without the second factor struggles to get in.
- Principle of least privilege - an employee has access only to what they need for their job, so a compromised account does not open up the entire network.
- Email and attachment filtering - a large share of phishing is stopped before it ever reaches the inbox.
- Regular backups - separated from the network, so that ransomware cannot encrypt them as well.
- Timely patches and updates - so that a single click does not land on a known and patchable vulnerability.
Comparison: training, rules and technology
No single layer is sufficient on its own. The following table shows what each one solves and what it does not, and why they need to be combined.
| Layer of defense | What it solves | Limitation |
|---|---|---|
| Training and simulations | Improves fraud recognition and reduces the number of clicks | People still make mistakes under pressure |
| Rules and procedures | Provides a clear process for risky situations (payments, reporting) | Only effective if applied and verified |
| Technical controls | Reduces damage when a mistake occurs (MFA, privileges, backups) | Does not change employee behavior |
| Reporting culture | Shortens reaction and incident detection time | Requires consistent management support |
How to get started in a small or medium-sized company
Smaller companies often think they are too small to be a target. In reality, the opposite is true: attacks are mostly automated and indiscriminate, while a smaller budget and a leaner IT team mean weaker defenses. The good news is that the first steps do not require major investment.
- Introduce MFA on email and all key services, as it is the measure with the best ratio of effort to impact.
- Launch short training for all employees, with an emphasis on phishing and CEO fraud.
- Define a payment procedure - any change to a supplier's bank account is confirmed by phone on a known number.
- Create a backup plan and test data restoration, not just the creation of backups.
- Test your own resilience with a controlled penetration test or simulated phishing to see where you really stand.
It is precisely at this last step that many companies discover that their assumptions about their own security do not match reality. If you want an objective picture, take a look at our services or fill out the short pentest questionnaire so we can assess where your biggest risks lie.
How to set up a simulated phishing program without creating fear
Simulated phishing is the best way to measure the actual behavior of employees, but it is easy to set up incorrectly. If the campaign is perceived as a hunt for someone to blame, you will end up with a team that is afraid, hides mistakes and does not report real attacks. The goal is the opposite: to learn, measure and improve over time. A well run program goes through several clear steps.
First, the scope and rules are agreed with management: how often test messages are sent, what data is measured and, most importantly, that the results serve learning rather than punishment. Then a first, deliberately milder campaign is created to establish a baseline. Only after it do harder and more convincing messages follow, imitating real scenarios from the company's environment, for example a fake payroll notice or a message seemingly from a known supplier.
What is measured is just as important as the message itself. It is useful to track three metrics: how many people opened the message, how many clicked the link or entered data, and, perhaps most importantly, how many reported the suspicious message. A high number of reports is a better indicator of health than a low number of clicks, because it means employees are actively paying attention and reacting. Anyone who clicks does not receive a reprimand, but short, targeted training right then and there. After several cycles, the results are compared to see progress and identify departments that need extra attention. In this way the simulation becomes a tool for strengthening rather than intimidation, and directly reinforces employee security.
New employees and security from day one
A new colleague is especially vulnerable in the first weeks: they do not know the internal processes, do not know what normal messages look like, and tend to trust everyone in order to fit in. Attackers know this, so they often target new employees soon after their name appears on the web or LinkedIn. That is why the security part of onboarding must not wait until "there is time", but should be part of the first working day.
A practical checklist for onboarding a new employee might look like this:
- Assigning an account under the principle of least privilege, with MFA mandatory and enabled before the first login.
- A short conversation about the most common scams at the company and specific examples that have already occurred.
- Clear instructions on who to report a suspicious message or call to and how, with an exact contact.
- An explanation of the procedure for payments and changes to supplier details, since new staff are a frequent target of BEC fraud.
- Rules on the use of personal devices, USB drives and software installation on the work computer.
These few steps take less than an hour, yet remove a large part of the risk that usually accompanies a new person's first weeks at a company.
What an incident that starts with a single click looks like
To understand why speed of reporting and technical controls matter so much, it helps to follow the typical course of an incident. The following table shows a simplified but realistic sequence of events and the points at which the attack can be stopped.
| Phase | What happens | Where the attack can be interrupted |
|---|---|---|
| Message arrives | A phishing email lands in the employee's inbox | Email filtering stops some messages before delivery |
| Click and data entry | The employee clicks and enters a password on a fake page | Training helps recognize the fake address and urgent tone |
| Login attempt | The attacker uses the stolen password to gain access | MFA blocks the login without the second factor |
| Spread across the network | The attacker looks for additional systems and data | Least privilege limits the account's reach |
| Detection | The activity is noticed or the employee reports the mistake | Prompt reporting and monitoring shorten reaction time |
The message is clear: there is no single measure that solves everything, but each layer reduces the chance that the attack will succeed or run its full course. Continuous monitoring and a rapid response to such situations are part of managed detection and response services, which help when internal controls are nonetheless bypassed.
Employee security as an ongoing process
The biggest mistake is to treat security as a project with a completion deadline. Attackers change tactics, people forget, and new employees who have not had any training join the company. That is why employee security should be treated as an ongoing process: regular short training, occasional simulations, updating of rules, and clear rules for new colleagues from day one.
When the human layer is combined with technical controls and a culture in which reporting a mistake is encouraged, the weakest link in your defenses becomes exactly what attackers least expect: an attentive and prepared team. If you need help setting up that process for your company in Mostar, BiH or across the wider region, feel free to contact us via our contact page.
Frequently asked questions
Why are employees said to be the weakest link in cyber security?
Because today it is often easier to deceive a person than to break through well configured technical protection. Attackers exploit haste, trust and respect for authority, so a single convincing email or phone call can bypass expensive security systems. With regular training and clear rules, this risk is significantly reduced.
How often should employee security training be carried out?
It is better to run short training sessions several times a year than one long lecture once a year. Experience shows that a combination of short modules and occasional simulated phishing tests delivers better and longer lasting results, because people practice recognizing fraud in real situations rather than just listening to theory.
What is phishing and how can an employee recognize it?
Phishing is an attempt at fraud using fake messages that imitate banks, suppliers or internal systems in order to obtain passwords or money. Typical signs are a sense of urgency, unexpected requests for payments or data, suspicious links, and sender addresses that only resemble the real ones. In case of doubt, the message should not be opened, but reported to IT.
Can a small company in BiH test the resilience of its employees?
Yes, and it is recommended. Controlled penetration tests and simulated phishing campaigns conducted with management's permission show where the real weaknesses are, without causing any damage. NeoBit offers such services to companies in Mostar, BiH and the region, and an assessment can be started through a short pentest questionnaire or by direct contact.
Related guides: Cyber security in BiH - the complete guide · How to choose a cyber security company - 7 criteria for 2026 · Cyber security for companies: a guide for small and medium-sized businesses in BiH
