I've been involved in the aftermath of multiple cyber security incidents and they have nearly always originated from human error/poor judgement/lack of training.
An attack may take advantage of a weakness in a system but quite often that is exploited through some form of social engineering approach.
I firmly believe that as long as a company has some information security, one of the best things they can do is educate people. By having a clear strategy and ensuring people comply with policies (be that automated or manually checked) you close the door on a lot of possible attacks. By educating and raising awareness to all staff, you instil the 'what-if' thought process in people and that can be all it takes for someone to question a phishing phone call or flag an email that may be trying to get information. Early identification is key to these situations and prevents further infection. Teaching people how to handle the pushy telephone calls, how to spot emails that may have been spoofed is always part of my information security awareness training. I keep groups small so that you can engage with people instead of doing large blanket company wide sermons.
Then you have the infosec strategy in the background, ensuring that everything is protected properly from a systems and monitoring point of view.