TL;DR: Businesses are extending layered security models to include people security, arguing that employee habits, tool adoption, and quick reporting materially affect defence against phishing, malware, and information sharing risks, according to Bitwarden. The governance challenge is not awareness in isolation, but whether security programmes make safer behaviour easy enough to sustain.
NHIMG editorial — based on content published by Bitwarden: businesses can strengthen cyber defence by adding a people security layer
Questions worth separating out
A: Start by reducing the number of steps employees must remember and the number of tools they must switch between.
Q: Why does user behaviour matter so much in IAM and security programmes?
A: Because access control is only effective if people consistently follow the authentication, reporting, and verification steps the programme depends on.
Q: What do security teams get wrong about cyber awareness training?
A: They often measure completion instead of behaviour change.
Practitioner guidance
- Reduce security friction in daily identity tasks Simplify password manager rollout, MFA enrolment, and secure sharing workflows so employees can complete them without needing special support.
- Build reporting into the user workflow Make suspicious email and account-abuse reporting visible, fast, and easy to trigger from the tools employees already use.
- Reinforce 2FA on high-value accounts Push consistent two-factor authentication adoption across personal and workplace accounts that support it, especially where compromise would expose corporate identity workflows.
What's in the full article
Bitwarden's full article covers the practical detail this post intentionally leaves for the source:
- Specific employee communication examples for enabling two-factor authentication across personal accounts
- Bitwarden's suggested approach to encouraging password manager adoption through small, repeatable wins
- The article's examples of how to recognise and reward employees who report suspicious emails
- The source's discussion of how a people security layer complements system, network, application, and transmission controls
👉 Read Bitwarden's article on adding people security to layered cyber defence →
People security and cyber hygiene: what does it change for teams?
Explore further
People security is a control design issue, not a communications campaign. The article correctly treats employee behaviour as part of defence, but the deeper lesson is that secure outcomes depend on whether controls fit real work patterns. If users cannot adopt the control quickly, they create informal bypasses that reduce assurance. For IAM programmes, that means adoption friction is itself a governance risk, not a training gap.
A question worth separating out:
Q: How can security teams tell whether people security is actually working?
A: Look for operational signals such as increased password manager usage, broader MFA adoption, faster reporting of suspicious messages, and fewer user-driven workarounds. If those indicators do not improve, the programme may be raising awareness without changing risk. The control has to change behaviour, not just knowledge.
👉 Read our full editorial: People security is becoming the missing layer in workplace defence