Retired Lieutenant General Rhett Hernandez, the first commander of US Army Cyber Command, has a great write-up on today’s cyber threats and the types of strategy organizations need to consider to properly defend their assets:

Cybercriminals are just beginning to think about the ways in which they can leverage their abilities. Any belief that if we pay them it will be okay will break down. You can’t trust agreements between people with values and people without values. Paying them will not ease the pain. Defining and mitigating the risk to prevent these threats from making you a victim is the key. And if prevention fails, your resiliency will depend on how prepared you are to recover and restore operations.

Taken together, the overall threat from cybercrime will result in far more expense to companies—not just from the breaches themselves, and working to prevent them, but also from litigation and, in all likelihood, additional regulation. Breaches at companies over the last year, especially Equifax, generated increased scrutiny among lawmakers and regulators around the country—and on Capital Hill. Expect a growing push for companies to start to do some of the necessary security basics.

In this environment, the main issue for CEOs and top leaders isn’t which software to buy. When it comes to cybersecurity, culture is the most important thing because people are the weakest link. It isn’t just in corporate America. In every large organization, including the Army, where high discipline and high standards are expected, people often fall short, given the anonymity the virtual world provides. In my experience, soldiers—and employees—often fail to remember that a risk to one is a risk to all.

After discussing threats, Hernandez gets into techniques leaders should employ to counter the cyber threat. Most of the ideas are common sense, but you would be surprised how many in upper management are unaware of how to develop sound cyber defense strategy.

But Hernandez is right in that the primary issue is culture. The weakest link in the security chain is often what ends up allowing an attacker to breach a network. Ensuring corporate culture prioritizes security pays huge, likely unquantifiable, dividends. It is not what guarantees breach prevention, but it definitely helps ensure employees are far more cognizant of the threat, take is seriously, and employ the necessary individual steps they can to thwart attacks.

Just like how safety is ingrained in most corporate cultures, cyber security needs to be at the forefront of peoples minds when operating or accessing their organizations IT assets, whether they are in private or public cloud environments.