The Three Ps of Cybersecurity

Cyber threats and attacks are rising, costing companies money and time. According to the FBI, in 2021 alone, companies lost around $6.9 billion. So how can organizations protect themselves? In this post, we’ll explain the three Ps that any company should have as part of their security defense and how you can utilize them to prevent cyberattacks:

  • Programs
  • Process
  • People

You’ll want to keep these three Ps in mind as you design and create your own cybersecurity defense plan.


As technology has advanced, so have cyber threats and attacks. Unlike the days of yore (about 20 years ago), you can’t just install an antivirus program onto your computer and call it a day. To combat today’s cybercriminals, you need multiple systems in place. Some of these systems include:

  • An email security system: One of the easiest ways to get people to click a link or open a questionable file is via email. Once clicked or opened, the link or file would download a virus or malware onto the device. An email security system scans emails for threats before they get to the inbox, reducing the chances of an unwitting employee clicking a malicious link.
  • An endpoint protection program: The computer you use at work is considered an endpoint. That device is where the information from the internet ends up (an end-user device). An endpoint protection program scans devices for viruses, malware, and abnormalities.
  • A DNS-layer security program: Whenever you access a website, your computer connects to a server to retrieve the information. A DNS-layer security program ensures you’re not connecting to malicious servers or suspicious websites.
  • Training programs: Phishing is a way to social engineer someone into clicking a malicious link. Phishing training or testing programs train people to think twice before clicking. Often, these programs will have regular simulation scenarios to keep employees sharp and on the lookout for phishing emails.


When someone receives a phishing email, chances are other people in the office also have. Because there are so many points of vulnerability, it is essential to have a process in place for alerting the IT department and informing co-workers. Processes can also be established for banking transactions and financial or payroll requests.

  • Reporting suspicious email: What should employees do if they receive a suspicious email? It’s one thing to spot a phishing email, but what next? Developing a process to identify and report suspicious emails to the IT department will ensure that everyone knows not to open those emails.
  • Two-step verification: It’s essential to develop and implement a two-step verification process for any banking transaction, much like the two-step verification process you encounter when logging into an email account from a new computer. This process ensures that even if the username and password are compromised, a second device not accessible to the hacker is still required to verify the transaction.
  • Voice verification: Biometrics is a way to identify specific people. If you’ve got employees or contractors looking to make payroll changes or a vendor asking for a change in bank deposits, a voice verification process turns that person’s voice into their password. You’ve probably seen this same type of biometric technology on smartphones. The phone uses people’s faces or fingerprints as the password to access apps or even the phone itself.
  • Incident Response Plan: An incident response plan is a set of procedures and instructions that help your IT team identify, eliminate, and recover from cyberattacks. This plan should detail who is responsible for reviewing potential threats and identifying breaches. If one has occurred, your IT team should refer to the incident response plan for steps to contain and secure that breach.


It is often said that the weakest link in an organization is the people. It’s much easier to trick someone into opening a phishing email than to brute force a strong, computer-generated password. Therefore, educating, training, and testing employees is a crucial step in cyberattack prevention.

Unfortunately, cybersecurity training isn’t a one-and-done deal. First, you’ll need to ensure that people are constantly aware that a suspicious email could land in their inbox. Some good steps to take include:

  • Provide basic security awareness training: There are many programs out there that provide online training for employees. You could also take a few minutes at a company meeting to discuss cybersecurity and the steps people need to take to identify and report threats.
  • Cybersecurity refresher training: As with most mandated training, people often forget what they’ve learned a few days after the initial course. Providing your employees with cybersecurity refresher training keeps the information from being sent to the back burner during a busy workday.
  • Implement a security awareness system: You can conduct fake phishing campaigns a few times a year. This can help fish out the people who have forgotten their training and provide them with a chance to take a refresher course.

To ensure that cyberattacks don’t drain your company of time and money, use the three Ps of cybersecurity defense as a guide when you start to implement a company-wide prevention program. If you want to learn more about how we can help your company create a comprehensive cybersecurity plan and training program, then give the Data Evolution team a call today!