Picture this: a finance manager at a mid-sized company receives an email from what appears to be the CEO, asking them to urgently wire funds to a new supplier account. The email looks real. The tone is right. The manager processes the transfer. The money is gone. Not one line of code was written. Not a single firewall was bypassed. The IT team had done everything right, and it didn't matter.

This scenario, a classic Business Email Compromise (BEC) attack, cost businesses $2.77 billion in 2024 alone according to the FBI (Internet Crime Report 2024). And it illustrates exactly why one of the most costly cybersecurity myths still circulating today is the belief that "cybersecurity is strictly an IT department problem."

The Myth: Lock the Tech, Lock the Threat

The thinking behind this myth is intuitive: cyberattacks involve technology, so the people who manage technology should handle defence. Install the right firewall. Deploy the best antivirus. Hire a skilled IT team. Job done. The rest of the organisation, sales, finance, HR, operations, the C-suite, can focus on their actual work and leave security to the experts.

It's a clean division of responsibility. And it's fundamentally wrong.

Why the Myth Persists

This belief took root in an era when cyberattacks genuinely were technical affairs, hackers exploiting software vulnerabilities, breaking through network perimeters, brute-forcing passwords with specialised tools. Defending against those threats did require technical expertise, and the IT department was the natural home for that work.

But the threat landscape shifted dramatically. Attackers discovered something more efficient than breaking through a locked door: convincing someone on the inside to open it. Phishing, social engineering, and credential theft became far cheaper and more effective than technical exploitation. Today's attacks are largely human problems wearing a technological costume.

The myth also persists because it's convenient. Telling every employee that they share responsibility for cybersecurity requires training investment, culture change, and leadership commitment. Telling them that "IT handles it" is much easier, even if it leaves the organisation dangerously exposed.

The Reality: Your Biggest Vulnerability Has an Email Address

The data is stark. According to Mimecast's State of Human Risk Report 2025, drawing on surveys across nine countries, 95% of data breaches in 2024 involved human error, including phishing, credential misuse, and employee negligence. A Stanford University study arrived at a similar figure of 88%. Verizon's 2025 Data Breach Investigations Report found that 68% of all breaches directly involve a human element.

To be clear: these aren't IT staff making mistakes. They're ordinary employees across every department, clicking a convincing phishing link, reusing a password, forwarding sensitive data to the wrong address, or being tricked by a well-crafted BEC email. And Mimecast's data reveals a striking concentration: just 8% of employees are responsible for 80% of all security incidents. Those high-risk individuals are distributed across your entire workforce, not clustered in the server room.

Real-world cases from 2024 and 2025 make this vivid:

• Change Healthcare (February 2024), The largest healthcare data breach in US history, affecting 190 million Americans, began when attackers used stolen credentials on a remote access portal with no MFA. The entry point wasn't a technical vulnerability. It was a compromised credential, likely obtained via phishing a non-technical employee. CEO Andrew Witty acknowledged this single failure before the US Senate Finance Committee.
• Ascension Health (2024), A ransomware attack that disrupted 142 hospitals for nearly four weeks began when an employee downloaded a malicious file, a single click that cascaded into 5.6 million patients having their data exposed and an operational shutdown across an entire hospital network.
• Business Email Compromise (ongoing), BEC attacks don't target IT systems at all. They target humans: finance staff asked to approve fraudulent wire transfers, HR teams tricked into sending payroll to attacker-controlled accounts, executives impersonated in emails to their own colleagues. The FBI recorded $2.77 billion in BEC losses in 2024 alone.

And the problem isn't just operational staff. Leadership teams are increasingly targeted through executive impersonation and spear-phishing. Regulators have noticed: the SEC's cybersecurity disclosure rules now require public company boards to exercise active oversight of cyber risk and disclose that oversight in annual filings. Directors who treat cybersecurity as someone else's problem now face personal accountability.

The Takeaway: Cybersecurity Is a Whole-Organisation Sport

Reframing cybersecurity as a shared organisational responsibility isn't just philosophically correct, it's operationally essential. Here's what that looks like in practice:

• Run regular, realistic security awareness training. Generic annual compliance tick-boxes don't change behaviour. Simulated phishing exercises and role-specific training do. Research shows that well-designed awareness programmes can reduce phishing click rates by up to 86%.
• Make cybersecurity part of onboarding and culture. Every new hire should understand that security hygiene, strong passwords, MFA, recognising phishing, is part of their job, regardless of role.
• Give finance and HR departments dedicated threat briefings. These teams handle money and sensitive data and are disproportionately targeted by BEC and phishing attacks. They deserve specific training, not generic warnings.
• Engage leadership seriously. The tone from the top matters. When CEOs and senior leaders visibly take cybersecurity seriously, not by delegating it, but by participating in training and championing awareness, the culture follows.
• Enable MFA everywhere, without exception. The most effective single control against credential-based attacks requires a decision from leadership, not the IT team. Roll it out universally.

Conclusion

The organisations that get breached aren't usually the ones with the worst IT teams. They're the ones where a single employee in finance, HR, or operations became the weakest link, because no one told them they were part of the defence. Cybersecurity awareness isn't an IT project. It's an organisational culture, and it starts with leadership deciding to build it.