First, the bad news. Then, the really good news.

First, the bad news, which is something most of us already know: cybersecurity isn’t fun or exciting. No one really wants to talk about it. At all.

As humans, our default instinct is to ignore things that threaten us until they impact us directly even as we are very weak and vulnerable to them. That’s why hardly anyone has an estate plan or business continuity strategy. The real problem is this: the less we care, the more vulnerable we are.

For example, we know that people generally all have a tough time resisting phishing emails crafted around positive or negative self-interest, especially if it evokes fear, curiosity or a sense of urgency. Content crafted around tragedies that take place nationally or globally are common ways to bypass critical thinking of people at the receiving end of these malicious messages. This is a default weakness built into the way our brains work.

The good news? We can train our brains to be more resilient to this sort of trickery in a way that puts better awareness at the front of our minds. Because people are the weakest link when it comes to protecting information, social engineering should be our number one priority to build awareness against. This approach is the only one that works both short-term and long.

Let’s think about biology for a moment. In the case of a virus outbreak we inoculate people against the threat to minimize the risk of it spreading and causing more damage. It’s the same with cybersecurity. Only by exposing our people to certain kinds of threats can we build up any resilience. Once they begin to see what threats can look like, we can help them refine their instincts to suspect and detect things like phishing emails so that when something nasty gets through all the other layers of security, the firewalls, antivirus programs, spam filters, every other layer of complexity in front of the point where it hits someone’s inbox, we can rely on our people to be an effective last line of defense. And we do that through building up their immunity through awareness.

The other thing that helps us successfully keep that awareness in the front of our minds as organizations is the message of the importance of awareness and how we deliver it. It is your job as their leader to make it relevant to them. It’s your responsibility to deliver messages that are important to the people in your organization. This message has to be delivered through multiple channels and contexts in ways they’ll hear and internalize. That’s the only way to elevate a culture’s awareness that works.

Bring a liaison program in or a consultant with fresh ideas, whatever fits best, and make security awareness not just IT’s job or an outside security team but instead make it a distributed role throughout the organization so that your people become the eyes, ears, hands and mouths of advocacy to protect the bottom line.

What do I mean when I say “security awareness”? What do we need to be aware of?

Let’s answer this by considering some questions worth asking.

First, why should we care? We want to tell our people why they should care. How can not caring impact the bottom line, their jobs or create liability that leads to losing client trust?

What do we need to protect? What do they need to protect? And what is their role and responsibility? That’s the information, the personally identifiable information, the data that can lead to risk for the organization. What data is most valuable? How much of it is worth protecting? What is their specific role and how do they execute that? That’s everyone’s responsibility.

How do we now make this practical? How do we do it even as we focus on sharing information with external audiences, clients, partners and outside vendors? We use scenarios to tell stories about what happens in specific situations when we make good choices and bad. These are brief, interesting 10-15-minute exercises in either small or large groups.

This is all about realizing that humans are the core of our businesses. Focusing our security efforts through the technology layers alone is a mistake. People all use technology so the strategy has to include the human layers to build resilience that can’t easily be defeated in our people, transforming them from our greatest weakness into our greatest strength.