Your five-year-old hears the doorbell ring just after you’ve jumped in the shower. They’ve been trained by your example to answer the door when they hear the bell, but are a bit too young to have had the “never answer the door unless I’m with you” talk. The man at the door is dressed in a sharp uniform that says Acme Repair (meep meep). Your child doesn’t read yet, but they recognize an authority figure when they see one (thanks Wile E Coyote), and let him in when he says, “Your mom called to have the heater fixed.”

Whether the repairman can be trusted or not — whether he is an evil criminal or actual handyman — is beside the point. Your child has let a stranger into your home. Now you have a choice to make: Punish your child, or recognize that they didn’t know any better and teach them how to change their behavior in the future.

I’ve been preaching the gospel of good cybersecurity habits since I lost my business and net worth to cybercrime 15 years ago, and I’m still surprised at how many organizations continue to punish their employees for mistakes made because the company never delivered proper “don’t answer the door” or “don’t click that link” training. In fact, I’ve worked with financial institutions whose policy is to fire employees who click on a single malicious phishing email link. That outdated response is no more enlightened or effective than spanking your child and blindly hoping that the pain and humiliation teach them what it was they were supposed to be doing.

There’s never been a better time or more compelling reason to invest your training dollars. Over the next five years, companies will incur an estimated $5.2 trillion globally in lost revenue and additional costs due to data breaches, according to a 2019 report from Accenture. Here’s the kicker, though: 90 percent of data breaches are caused by human error. Ninety percent.