Corporate security is often associated mainly with technology. With infrastructure, surveillance tools, approaches, certifications or rules. But in practice, a large part of the risks arise not where technology fails, but where human attention, judgment or habit fail. This is why the human factor is one of the most sensitive points of any security framework.
David Snášel , CIO of GRiT, aptly puts it: "The security of the corporate environment is not just about technologies and systems. It is built on three pillars - technologies, processes and people."
The weakest point often occurs not in the system, but in operation
It is the third pillar that is the least predictable in everyday operations. While technology can be set up, the process described and audited, people work under pressure, in a hurry, with a number of stimuli at once. And it is in such operations that there is room for error. A typical example is phishing .
Today's attacks are no longer primitive emails with suspicious Czech. They are more targeted, more precise and, thanks to AI, much more credible. Attackers can trace the role of a specific person in the company, their responsibility and the context in which they operate. "A significant part of security incidents do not arise due to technological failure, but due to inattention, underestimation of the situation or lack of awareness," describes David Snášel. Then a moment of inattention is enough and the problem has not only a technical dimension, but also a direct impact on reputation, operations and finances.
Training should correspond to the reality of the company
This leads to an important point: functional security cannot be built as a formal obligation. It is not enough to complete training once a year and close the topic. In a company where dozens or hundreds of people work with information across roles, security must correspond to real operations. It applies to reception, administration, management and technical teams. It applies to work with emails, attachments, documents, internal systems and decisions that people make every day under time pressure.
That is why, according to David, it makes sense to structure training differently – not as a one-off act, but as an ongoing process. Digestible, understandable and linked to what is really changing in the work environment. Employees do not just need to know the rules. They need to understand the context and recognize a situation that deviates from normal operations in time. At GRiT, we do not look at it as a one-off administrative obligation, but as part of active safety management. Safety has its responsible roles, clearly defined competencies and ongoing attention from management, because without this support, the rules quickly fall apart in everyday operations.
AI is changing the speed of work and the boundaries of responsibility
This is clearly visible in the advent of AI tools. They have brought a new layer of decision-making that cannot be done without security judgment. It is not enough to know how to use a tool. You need to know what type of information belongs in it, what is already beyond the edge and why. Internal information, contracts, personnel data or internally created code cannot be inserted into external systems without thinking just because it will speed up the work.
This is where it becomes clear that security cannot be separated from responsibility for new tools and new ways of working . In GRiT, AI is therefore part of a managed framework. The company not only has rules for working with AI and classifying information, but also specific responsibility for the security of this area . In addition to general security roles, there is also a role that focuses on security in the context of AI, i.e. how new tools are used, evaluated and integrated into the corporate environment. “If a person does not have sufficient training and does not create the necessary internal alarm, their actions can cause reputational and financial damage,” warns David Snášel. That is why security today includes clear rules for the use of AI, approval of tools and ongoing assessment of the risks that come with them.
Safety is also evident in everyday habits
Physical security remains an underestimated area. Yet it is this that determines whether the rules are truly part of everyday functioning. Locking the screen when leaving the computer, a clean desk without loose documents, proper shredding or not leaving papers on the printer. These are basic habits that show whether a company understands security as part of operational discipline.
But it is equally important that the company does not ask people to do something that cannot be followed in practice. Safety rules must be applicable. It is not enough to prohibit risky behavior. It is also necessary to offer a safe and practical alternative. When a person has the right tools at their disposal and understands why they are using them, the chances that the rules will become a normal part of the work, not an obstacle, increase significantly.
Safety culture is created continuously
This is the difference between formal safety and safety culture. Safety culture is not created by employees signing a directive. It is created by employees noticing unusual situations, knowing how to name them, and having the space to report them even when they are not sure whether it is an incident. Often, it is the small signals that reveal a problem in time that would otherwise remain hidden.
When people are continuously guided and safety is kept as a lively topic in the company, their thinking in everyday operations also changes. “Safety culture is not only strengthened by rules, but also by people having the courage to say things out loud and not keeping doubts to themselves,” summarizes David Snášel. It is this willingness to point out a suspicious situation or to ask for an inspection in time that is often as important in practice as technical security.
The responsibility lies with both employees and management
Security in a company is therefore not based solely on the personal responsibility of the individual. This is important, but it is not enough on its own. Employees must know how to handle information and what obligations they have under company rules. At the same time, management must create a framework within which these rules can be realistically followed. This means setting roles, responsibilities, budgets, processes and ongoing training. Without this support, security can easily be reduced to a set of formal requirements without any real impact.
At GRiT, safety is therefore actively managed. It is not based only on general awareness, but on specifically defined responsibilities that keep the topic in everyday operations and in decisions about new tools and procedures. It is this systematic approach that helps keep safety as part of the company's operations.
Readiness starts at the moment of arrival
Onboarding also plays an important role in this. Not every new person comes from an environment where safety is systematically managed. It is all the more important to provide basic orientation right from the start and give new colleagues a clear framework within which they can operate safely.
In an environment where companies work with sensitive data and are responsible for the stability of services, the human factor is as much a part of security as technology and processes. This area needs to be systematically managed, developed and anchored in the daily functioning of the company. Security does not come about with a single measure. It comes about through an environment in which people know what they are protecting, why they are protecting it and how they should make decisions when there is no time left to think about the rules.
Are you dealing with invoice approval?
30 minutes, no obligation. We will show you how iNVOiCE FLOW fits into your ERP.



