Cybersecurity was a major topic at CES 2023, and one panel described strategies around one of the important and often ignored components: people. Moderated by Strategic Cyber Ventures chief executive Hank Thomas, panelists examined people’s personal relationship with cybersecurity, how they fall victim to cybercrime and how they could be incentivized to take more responsibility for their online activities. Terranet Ventures executive in residence Carole House, who was recently director of cybersecurity at the National Security Council in The White House, said that seeing individuals badly impacted “elevates cybercrime as a national imperative.”

T-Mobile US senior vice president and chief security officer Timothy Youngblood said that one thing he’s taken from a career at multiple Fortune 500 companies is that “security is a people business.” “All it takes is one person to make the wrong decision,” he noted.

He recommended person-based training from retail stores to executive suites. “We run phishing campaigns on a monthly basis to see if it’s working,” he said. “We see if they make the right choice. But we don’t overwhelm them with training.”

For Steve Thomas, chief executive and co-founder of HackNotice, a threat awareness company, cybersecurity training is part of the problem. “The major companies in that space make videos about security, and training is often the first and last stop to making someone security aware,” he said. But the real problem, he continued, is that “most people in companies think that security isn’t their job, so they don’t do it.”

His company specializes in using real security events as teachable moments to show how people are personally targeted. “Once you realize you’re under threat, you start acting very differently,” he explained. “We show how people are personally targeted and the best practices they can take.”

House is sympathetic to the impact on people when the government is hacked. “But I also think that it makes you a sounder institution to have recognition of the liability and business interests in being secure among companies,” she noted.

Moderator Thomas brought up the 2015 OPM breach when the U.S. Office of Personnel Management was hit. “It educated a lot of people with security passes about the danger,” he said.

Educating the ordinary person is necessary to get a grip on ever-increasing ransomware attacks and other breaches. “For employers, it’s building an environment of security, and our biggest help is to ask employees, without being adversarial, to be part of the solution,” said Thomas.