An organisation is best protected if employees are educated and informed in the role they play, according to Cisco.
Instead of giving broad training to staff around online security, global information security VP, Steve Martino, said role-based training is more beneficial.
"Different education programs for different skills are needed to make them aware of the risks and obligations they have," he said.
"You have to do it in that focused way, as you can't make them aware of broad-based topics."
One program could ask end users to think before they click, while another one aimed at administrators or developers would have a different message.
"End users also need to take responsibility and learn, just like they learned the rules of the road to drive a car," Martino said.
When an organisation adopts any new technology, product or service, Martino said it is important for them "not to assume but consider" the potential implications for the channel and customers.
Legacy tagging along
The Internet has received a bad reputation in recent years for having security flaws and loopholes, and Martino attributes it to legacy technology.
"A company like Cisco didn't start building technology today, but has been doing it for 25 years," he said.
"Most of the systems from that time are retired, but some of the ones in circulation may be 10 to 15 years old."
Martino points out that a lot of the technology from back then was designed and released in a time of different connectivity.
He likens the growing pains to how car drivers complain of bicyclists on the road, yet the roads were not architected for that change.
"It easy to say something like the Internet should have been build good from the beginning, but you're bringing a lot of old legacy along, as well as introducing new things," he said.
Martino said the end result is an mesh of the past and present, which he said can cause some complexity and room for error.
Sign up for CIO Asia eNewsletters.