Employee training is critical in the fight against cyber threats. “It’s true the weakest link in the cybersecurity chain is the user,” said John Riggi of BDO Consulting. “A common way for adversaries to gain access to a network is through email. It’s hard to tell the difference between legitimate emails and fake ones.” Humans are prone to mistakes, and training that is designed to correct these mistakes is an important weapon in any organization's security arsenal. However, it might not be enough. “The idea of just educating the user and not investing in an in-depth defense strategy with proper controls, monitoring, and the like is a formula for disaster,” said CynergisTek CEO Mac McMillan. “Policy and education alone don't stop anything. There are ways around it with an authorized user.” Regardless of how many times employees are trained, they will act out of their own free will. “Leaders need to take an inventory of the IT assets, through a process of interviewing within the enterprise to determine the data being used, the programs using the data, and how it moves through the organization,” says Judy Selby, managing director of the technology advisory service for BDO Consulting. While employees are the weakest link, they aren’t an organization’s only security gaps.