Many businesses fail to provide adequate training to their employees on the safe use of their systems and how to spot unusual activity.
Not all cyber attacks can be stopped by system controls. If employees do not know how to spot the likes of a phishing email they will be extremely vulnerable to the most common and successful forms of cyber-attack.
This is the most common form of cyber-attack that we have been commissioned to deal with often having resulted in serious financial loss. In all cases, more adequate user security awareness (alongside other controls) could have prevented or significantly reduced the impact of the attack.