Who is the Worst? The end user? Maybe they can be bad, but typically don't have much access and the risk is minimal.
Is it Management? Again Maybe but not in the ways you think. Management is one of the worst because they don't want to pay for security, or the support lower levels of management that push Overly expense Security solutions, or just accept that from their subornments that security is handled or worse push back and want weaker security.
Is it your IT Department? Again maybe and they can be some of the worst. I personally give them the 2nd Worst award. Why? IT especially operational Staff want to make their life easy. Easy to access the systems and get their work done, just like everyone else. But this is where all Security starts to fail. If it is easy to log into EVERY System with a single username and password. Then it is easy to Steal that username/password. OR Worst, There is one system that the "Front door" is hardened, impossible to break in has passwords, Multifactor authentication, Certificates, etc.. but has access to EVERYTHING. so it is trusted. Sound Familiar? SolarWinds should come to mind.
But again your Official IT is the only the Second worst!
The Winner for the WORST "group" at Cyber Security at Any company goes to the "unoffical IT" Who is that? It could by anyone in the company that buys a cloud service, runs their own server, or buys or installs any software or service out side it being 100% supported by Offical IT. Have you ever bought software on the internet and downloaded and installed it on your work computer? or Bought a Cloud HR System, or Make Quickbooks online? or Gmail? Then you could be the Worst in your company! Did you secure your Gmail/Gsuite? Did you enforce MFA? Did you read the security lock down process? Most companies (as in all companies do not lock down their cloud enviroment, they make it easy to use and provide a Guide for you the consumer to lock it down) WHY? they want your business, everything that make things more secure, makes it harder to get their Doorin the door when someone is demoing a product.
How do you solve all these issues? First you have to decide what happens if all my Data gets delete? What happens if it all gets stolen? Maybe your data in not important and if someone your competitor takes it all it doesn't matter. I bet if someone crashed all your computers and deleted all the data that would cause an impact! You have to have real conversations about this. Security does not have to be expense but it does have to be thought out and planned.
Here is the final Tip, If you don't plan, your don't have a security culture from the start and you just want to add security culture later, and security system later. The bigger your company gross the LONGER it is going to take to change your culture, Longer means it will cost MUCH more. You may one day get to the size that it is Impossible to secure your company regardless of how much money you through at it. Why? Because People are Resistant to change, Accountability is HARD.
Read more at Woods LLP