Your Employees Are Your Biggest Cybersecurity Threat. Here’s What to Do About It

Photo of Brian Largent

Brian Largent

CEO, ArcLight Group

May 25, 2026 11 min read
Share:
Your Employees Are Your Biggest Cybersecurity Threat. Here’s What to Do About It

I need to introduce you to someone. Her name is Susie.

Susie’s been with your company for thirty years. Everybody loves Susie. She’s reliable, she’s loyal, she knows where everything is and how everything works. She’s the person who trains the new hires and remembers everyone’s birthday.

Susie also falls for every single fake phishing email we send her.

Every. Single. One.

Now here’s the question that should keep you up at night: is Susie in charge of making payments? Because if she is, if Susie is the one processing invoices, wiring money, handling vendor payments, you’ve got a problem that no firewall or cybersecurity software in the world is going to solve.

And even if she’s not handling money? Her computer is still a launching point. Once someone gets into Susie’s machine, they can use it to attack every other device on your network. Susie’s computer becomes the front door.

I’m here to tell you, the biggest threat to your business isn’t some hacker in a hoodie sitting in a dark room somewhere. It’s Susie. It’s your operations manager. It’s you. It’s me.

Yeah. Me too.

The Time I Fell for My Own Phishing Test

So I need to come clean about something. This is a story my team still won’t let me live down.

I was driving to the office one morning. Stopped at a red light. Pulled out my phone to check email like we all do, and there it was: “Your Microsoft 365 password has expired. Click here to reset it.”

I clicked the link.

It took me to our own phishing test platform. I had just fallen for one of the fake phishing emails my own company sends out to test people. My company. The cybersecurity company.

Now, I didn’t enter my password. I would have caught it before I went that far. But here’s the thing: the system notified my entire team that I’d clicked the link. There was a lot of teasing. And it still is to this day.

But that’s exactly the point I’m trying to make. I’ve been doing this for over thirty years. I know what phishing emails look like. I train people on this stuff for a living. And I still clicked it, because I was busy, I was distracted, and it looked legitimate enough in the two seconds I glanced at it.

We all get busy. This is not about trust. People make mistakes, and we’ve got to protect them from the mistakes they can make.

What the Threat Actually Looks Like

Here’s a scenario that plays out every single week at companies across Oklahoma, and I’m not exaggerating.

Someone calls Susie. Says, “Hi Susie, this is Bob with techsupport.com. We’re showing that your computer has a problem and I need to take a look at it.” Susie, because she’s helpful and trusting and doesn’t want her computer to cause problems for anyone, goes to the website Bob tells her to visit. She downloads remote access software. She installs it. She gives Bob access.

Now Bob, who is not Bob, and does not work for any tech support company, can see everything on her machine. He can enumerate credentials. He can move laterally through your network. He can access your file shares, your email, your financial systems. Susie just handed someone the keys, and she thought she was being responsible.

It’s not about trusting Susie. It’s about the fact that Susie shouldn’t have been able to install that software in the first place.

The Solution Ladder

So what do you actually do about this? There’s a progression here, and I’m going to walk you through it from the simplest step to the more sophisticated ones.

Step 1: Remove Local Administrative Rights

This is the single fastest thing you can do to reduce your risk. If Susie doesn’t have administrative rights on her computer, she can’t install software. Period. When Bob from “tech support” tells her to download and install his remote access tool, she gets an error message instead. Problem solved before it starts.

Now, I’m not going to pretend this doesn’t create friction. It does. Susie needs to install a printer driver. Susie’s traveling to a convention and needs to install a temporary app. Susie’s got a legitimate need, and now she’s stuck.

That’s where the next step comes in.

Step 2: Privileged Access Management (PAM)

This is the grown-up version of removing admin rights. Susie still doesn’t have administrative access day-to-day. But when she needs to install something legitimate, a prompt goes to an administrator who can approve or decline it remotely. It’s like a bouncer at the door. The door isn’t welded shut, but someone’s checking IDs.

This solves the convenience problem without reopening the security hole. Susie can still get what she needs to do her job. She just can’t unilaterally install whatever a stranger on the phone tells her to.

Step 3: EDR/MDR/XDR, Next-Gen Endpoint Protection

Here’s where I need to clear up a misconception. A lot of business owners think they’re protected because they’ve got antivirus on their computers. Norton, McAfee, whatever came pre-installed.

That’s not how it works anymore.

Traditional antivirus is definition-based. It has a list of known threats, and it checks files against that list. The problem is that new threats are created constantly, and definition-based antivirus is always playing catch-up. By the time the threat is on the list, the damage is done.

Modern endpoint protection (EDR, MDR, XDR, whatever acronym you want to use) works completely differently. It uses AI-driven behavioral analysis. Instead of checking a list, it watches what programs are doing and flags anything that looks suspicious. Software trying to encrypt a bunch of files at once? That’s not on a list. That’s a behavior, and modern tools catch it.

There are different tiers, different price points, different levels of response. But the point is: if you’re still running what amounts to 2008-era antivirus, you’re not protected. You just think you are.

Step 4: Purpose-Built Devices

This is the one that changes everything when people actually commit to it.

I have an analogy I use all the time: if I need to drive a nail, I don’t pick up a tape measure. I use a hammer. Everything has a purpose. Your employees’ computers should only do what those employees need for work. Nothing more.

I shouldn’t be using my work computer to go social media gazing. I’ve got a phone for that. Your employees all have phones now. They should be doing all those personal things on their cell phones. Their work computer is a purpose-driven device.

Using tools like Microsoft Intune and remote monitoring platforms, we can make a computer purpose-designed to do exactly the things that person does for their job. They can access the applications they need, the websites they need, and nothing else. It’s not punishment. It’s protection.

Here’s another way I explain it to people. If we get rid of your computer entirely and give you an abacus, we don’t have to worry about viruses anymore, right? But is an abacus going to allow you to work effectively? Obviously not. So the real question is: what’s the balance between what they need to do their job and what they shouldn’t need to do their job?

That balance is where security lives.

The Creative Solutions

Now, I know what some of you are thinking. “Brian, that sounds great in theory, but my people have legitimate reasons to be on sites you’d want to block.” You’re right. They do. Let me give you a couple of real examples.

The Stamp-Collecting Doctor

We had a healthcare client, ten doctors in the practice. We locked things down the way we should for a medical office. HIPAA compliance, web filtering, the works.

One of the doctors was furious. “You can’t block me. I’m an owner.” Turns out he collected stamps, and he liked to browse auction sites during his lunch break. That’s not a work need, but he’s an owner and he’s not going to just accept “no.”

So here’s what we did. We bought him a $200 Chromebook and put it on the guest network. Completely isolated from the practice’s systems. He could browse his stamp auctions all day long and it posed zero threat to patient data or the practice network. He loved it. It was always there, always ready, just for him.

Two-hundred-dollar laptop. No threat. One-time charge. It just makes sense.

The HR Exception

Here’s another one. Your HR department needs access to social media to research job applicants. That’s a legitimate business need, but social media sites are also one of the biggest vectors for malware and phishing.

So what do you do? You’ve got options. Give them an iPad that’s not on the corporate network. Accept the risk but layer on extra controls. There’s no one-size-fits-all answer. But you as a business need to do a risk calculation. What’s the exposure, what’s the likelihood, and what’s the cost of mitigation versus the cost of the risk? That’s a conversation, not a policy.

The Cautionary Tale

Let me tell you one more story, because this is the one that illustrates what happens when you make exceptions for the wrong reasons.

Early in my career, I worked in the IT department of a company with about 1,700 employees. We installed a Barracuda web filter, standard practice, both for productivity and security. We could see what everyone was doing online and block the stuff that didn’t belong on a work network.

What we found was eye-opening. Employees spending hours on games. World of Warcraft. You name it. Hours of company time, on company equipment, on sites that had no business being accessed from a corporate network.

So we started blocking things. And that’s when the operations manager came running down the hallway, yelling. He was furious. “I go into World of Warcraft and you can’t stop me.” That’s a direct quote.

The IT director caved. Whitelisted the operations manager’s computer. No filters, no restrictions, full access to everything.

Here’s what that actually meant: that man was probably the greatest threat to security in that entire company. Every other security measure we’d put in place (the web filtering, the monitoring, the policies) could just be thrown out the window, because the operations manager decided no security should apply to him. One exception, and the whole system has a hole.

That’s what happens when leadership doesn’t buy in. Security isn’t something you can opt out of because you’ve got a title.

What You Should Actually Do

All right, so here’s the practical takeaway. If you’re a business owner or manager reading this, here’s what I’d tell you if we were sitting across from each other:

Start with admin rights. This week. Audit who has local administrative rights on their computers and take them away from everyone who doesn’t absolutely need them. This single step blocks the majority of social engineering attacks.

Look at your endpoint protection. If you’re running consumer-grade antivirus, or worse, whatever came free with the computer, you need to upgrade. Ask your IT provider about EDR solutions. If they don’t know what that means, that tells you something.

Have the purpose conversation. Sit down and think about what each role in your company actually needs their computer to do. Then configure those computers to do exactly that and nothing else. It’s not about punishing people. It’s about not giving attackers a playground.

Budget for creative solutions. A $200 Chromebook on a guest network is a rounding error in your annual IT budget. An isolated iPad for HR is nothing. These small investments solve real problems without creating security exceptions that come back to haunt you.

Get buy-in from the top. If your leadership team thinks security rules don’t apply to them, nothing else on this list matters. Security has to be universal or it’s not security. It’s theater.

Train your people, but don’t rely on training alone. I fell for my own phishing test. Training raises awareness, but it doesn’t eliminate human error. The technical controls (removing admin rights, PAM, EDR, device lockdown) are what actually stop the attack when someone inevitably clicks the wrong link.

It’s Not About Trust

I want to be clear about something, because I know how this conversation lands with some business owners. This isn’t about not trusting your employees. You love Susie. I love Susie. Susie’s great.

But people make mistakes. I make mistakes. The CEO of a cybersecurity company clicked a phishing link at a red light. If it can happen to me, it can happen to anyone on your team.

The goal isn’t to build a culture of suspicion. The goal is to build systems that protect good people from bad situations. You put a guardrail on a mountain road not because you don’t trust drivers, but because one moment of distraction shouldn’t cost someone everything.

Same principle. Protect your people. Protect your business. And if you’re not sure where to start, that’s what we’re here for.


Brian Largent is the CEO and founder of ArcLight Group, a Tulsa-based managed IT and cybersecurity firm serving businesses across Oklahoma. ArcLight offers a free 27-point IT Risk & Ransomware Assessment for businesses that want to understand where their vulnerabilities are. Call (918) 270-6600 or visit arclightgroup.com to schedule yours.

Photo of Brian Largent
About the Author

Brian Largent

Father to five, husband to one, founder, CEO, and all around swell fella (or so I'm told)

Ready to harden your environment?

Get the 27-point assessment we run on every new client

Two hours. One real engineer. A written report telling you exactly where your gaps are — whether or not you ever hire us.

No hard sell. No obligation. Month-to-month after — cancel anytime.