People are always the weak link when it comes to enterprise cybersecurity–but some departments are more likely to get hit and fall victim to attacks than others.

“Everyone is susceptible to these attacks. Nobody is immune,” said Wesley Simpson, COO of (ISC)2. “It doesn’t matter what type of organization, how strong you think you are, how much money that you’re investing into your hardware and software environment to have the latest and greatest technology. We’re all vulnerable, and you can’t do it alone.”

Here are three departments that are often most likely to fall victim to cyberattacks.

1. IT

IT and development are not immune to mistakes or attacks that result in security breaches, as 2017 has proved, said Forrester analyst Jeff Pollard. For example, we saw that Amazon S3 storage buckets were a constant source of data exfiltration, often by security researchers and bug bounty hunters, but also by attackers.

“Continued use of cloud technologies means this part of an organization’s attack surface will continue to expand,” Pollard said. “These users also often have access to sensitive information and Intellectual Property, making them interesting targets.”

SEE: Security awareness and training policy (Tech Pro Research)

More than one-third of IT professionals said they see themselves as the biggest internal security risk to their organizations’ networks, according to a recent Balabit report. This is largely due to the fact that IT staff often possess greater access rights than those in other departments, including access to business-critical data through the IT systems they manage and control, making them a prime target for cyber criminals, the report noted.

2. Finance

A large number of attacks in 2016 and 2017 targeted procurement and finance teams, Pollard said. These attacks attempted to get employees of the company to transfer large sums of money to the attackers, bypassing normal accounts payable procedures and controls. There’s no reason to believe those attacks will drop in 2018, he added.

The finance department is also often the target of phishing attacks, since they have access to money as well as private information, according to R.V. Raghu, a board director of ISACA and director of Versatilist Consulting India.

3. The C-suite

C-level executives–including the CEO–are the most at risk of being hacked when working outside the office, according to a recent report from iPass. These employees often work long hours, are rarely confined to the office, and have unrestricted access to the most sensitive company data, making them highly valuable and highly available targets, the report found.

SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)

C-suite members need to be wary of whaling attacks, or phishing scams targeted at executives in which hackers use social engineering to trick users into releasing bank account data, employee details, or customer information. These might come in the form of mailers with legal non-compliances or customer complaints being highlighted and requiring immediate actions, Raghu said.

How to protect your employees

It’s important to remember that despite human shortcomings, employees play a major role in preventing cyberattacks as well.

“We know that people are the biggest offenders when it comes to these breaches and vulnerabilities–but to complement that, we are also the strongest line of defense,” Simpson said.

To keep on top of the latest cyber threats and mitigation efforts, Simpson recommends “people patching.” While most organizations reserve a portion of the budget to patch hardware and IT infrastructure, they do not typically fund employee cybersecurity training. It’s important to invest in hardening employee skills and keeping them abreast of new breaches and attack vectors, Simpson said.

SEE: How to make your employees care about cybersecurity: 10 tips

Strong cybersecurity across departments also requires change from the top down, Simpson said. It’s important to build cybersecurity core values into the organization’s mission, and make sure every individual has a cybersecurity goal that is being tracked and measured. “It’s really going to help push out some of those responsibilities and accountability to every single employee in the organization, and not just rest it on the CIO or CISO’s shoulders,” Simpson said.

The CIO and CISO still play a key role, Raghu said. “CIOs need to focus on making sure that the enterprise and its board understands the cybersecurity risks that are facing the enterprise,” he added. “CISOs need to focus primarily on employee education and awareness and ensure that this education is ongoing so that even in a dynamic enterprise ecosystem, employees are aware and proactive.”

Business leaders need to understand the necessity of investing not only in technology to fight cyberattacks, but also in hiring and training a highly skilled cybersecurity workforce that is capable of dealing with a complex threat landscape, Raghu said.

“Business leaders need to understand that cybersecurity is a business issue and not an IT issue,” Raghu said. “Cybersecurity is all about culture–this must flow from the board to the executive team to the rest of the enterprise.”