Friday Jun 05, 2026
Friday Jun 05, 2026
Thursday, 4 June 2026 00:12 - - {{hitsCtrl.values.hits}}
Over the past few years, Sri Lanka has witnessed a significant rise in cyber incidents targeting businesses, government institutions, financial organisations, and even educational institutions. From ransomware attacks and phishing scams to data breaches and email compromises, organisations are increasingly realising that cyber threats are no longer a distant possibility, they are a daily operational reality.
In many organisations, millions are invested in firewalls, endpoint security, antivirus solutions, and advanced monitoring systems. Yet, despite these investments, attackers continue to succeed through one weak point: human behaviour.
This raises an important question for every organisation today: Is cyber security training a cost, or is it an investment?
The answer depends entirely on how organisations approach it.
The human firewall has become critical
Today, almost every employee has access to a desktop, laptop, mobile device, intranet, cloud platform, or the internet. This means every employee has become a potential entry point for attackers.
Cyber security can no longer remain the sole responsibility of the IT department. The traditional mindset that “security is an IT problem” is outdated and dangerous.
Modern cyber attacks specifically target non-technical staff because attackers understand human psychology better than technology vulnerabilities. A finance executive may receive a fake payment request. A HR manager may open a malicious CV attachment. A senior executive may unknowingly click on a credential harvesting email disguised as a board communication.
In many cyber incidents globally, and increasingly in Sri Lanka, the attack did not begin with sophisticated hacking. It began with a single click by an unsuspecting employee.
This is why organisations must now train every employee who has access to a connected device. Whether the employee is in finance, operations, administration, HR, sales, or senior management, cyber awareness has become a mandatory business competency.
The era of zero trust architecture
Organisations around the world are adopting the concept of Zero Trust Architecture. The principle is simple: trust nobody automatically.
Every access request, every login, every email interaction, and every device connection must be continuously verified.
However, technology alone cannot enforce zero trust successfully. Employees themselves must understand the latest threat vectors and attacker methodologies.
Threats are evolving rapidly:
An employee trained two years ago may already be outdated in recognising modern attack patterns. Cyber awareness is not a one-time event; it is an ongoing process.
Training alone is not enough
This is where many organisations fail.
Some companies conduct a cyber security awareness session once a year merely to satisfy compliance requirements. Employees attend the session, sign the attendance sheet, receive a certificate, and return to their normal behavior the next day.
If training ends there, it becomes a cost.
Why?
Because organisations have no visibility into whether employees actually practice what they learned.
Cyber security awareness must be measurable, monitored, and continuously reinforced.
A true cyber resilience strategy requires organisations to regularly assess employee behavior through practical simulations and continuous validation mechanisms.
Continuous monitoring creates real cyber resilience
At CICRA Holdings, we strongly believe that cyber awareness must move beyond traditional classroom-based training.
Therefore, we have developed a continuous cyber awareness validation approach where, after training, whether physical or online, employees are continuously assessed against evolving threat vectors.
This approach helps organisations:
The objective is not to punish employees, but to build a sustainable cyber-aware culture.
A structured accountability framework
Organisations must also understand that accountability is essential in cyber security culture building.
If an employee falls victim to a simulated attack after receiving training, it indicates the need for further awareness reinforcement.
A practical framework could include:
First incident
The employee receives awareness guidance and educational reinforcement.
Second incident
The employee undergoes compulsory retraining.At this stage, management may decide whether:
This creates accountability while emphasising the seriousness of cyber hygiene.
Repeated incidents
If the same individual repeatedly fails despite multiple interventions, management may need to issue formal warnings because such behavior becomes a direct organisational risk.
In today’s environment, a single negligent action can lead to:
Therefore, cyber negligence cannot be treated casually.
Building a Cyber-aware organisational culture
Cyber security training should not create fear among employees. Instead, it should create awareness, responsibility, and vigilance.
Organisations that succeed in cyber resilience are those that:
Management boards today discuss financial risk, operational risk, and legal risk. Cyber risk must now be discussed with the same level of seriousness.
Investment, not expense
So, is cyber security training a cost or an investment?
If organisations conduct training merely as a compliance checkbox, it becomes a recurring expense with little return.
But if organisations combine training with continuous monitoring, behavioral assessment, management reporting, and accountability mechanisms, it becomes one of the most valuable investments in organisational resilience.
Technology can only protect an organisation to a certain extent. Ultimately, the strongest firewall in any organisation is an aware and responsible employee.
(The author is the Group Director / CEO, CICRA Holdings)
