A company's employees are its best defence against security threats, and should be empowered and educated about technology risks, according to a new report from PricewaterhouseCoopers (PwC).
The consulting firm said in its Protecting your Business report (PDF) that organisations are too complacent about security, and assume that they will not be affected.
This lax attitude filters down to workers, who then believe that security is "someone else's problem".
PwC argued that companies should make staff more aware of the security risks, and educate them on how to defend against attacks.
"The goal is that all those working for an organisation are alert to the risks, will want to act to protect information and will be actively supported in doing so," said Craig Lunnon, senior manager of HR services at PwC.
"As the first line of defence, security-aware employees are often best placed to identify a potential breach or weak link. Equally, they can prevent and reduce the impact of incidents when they do occur."
This approach is preferable to increased technology investments, according to Lunnon, as technology can muddle the security landscape and create more problems than it solves.
Only by assessing employee behaviour, and improving their security awareness, will enterprises be able to invest in effective technology, he added.
Security investments will otherwise be fragmented, or create convoluted systems that staff will often bypass in favour of doing their jobs.
PwC also advised organisations to persuade staff to defend against, rather than cause, security threats, and to ensure that they are aware of their own responsibilities.