It's not sophisticated threats causing the majority of cyber incidents, according to new research, it’s distracted staff.
A recent study from KnowBe4 found that distraction is the top reason organizations fall victim to cyber attacks, cited by 43% of cybersecurity professionals.
A lack of security awareness training was close behind at 41%, with the pressure to act quickly at 33% and fatigue or burnout at 31%. Only 17.1% of respondents attributed successful cyber attacks to the sophistication of the threats themselves.
KnowBe4 said the study highlights the serious risks faced by staff on a daily basis and urged enterprises to ramp up support for workers.
"Cyber risk is not just about advanced technology; it is about human bandwidth and the cognitive load of today’s fast-paced digital workplace,” said Javvad Malik, lead cybersecurity awareness advocate at KnowBe4.
Unsurprisingly, the main threat faced by workers was phishing, accounting for 74% of all incidents. Respondents noted staff frequently faced social engineering techniques such as employee impersonation - an issue that's grown in both scale and intensity in recent years.
Three-in-ten cited social engineering via social media platforms such as LinkedIn as a major issue.
Malicious links or attachments were also among the top risks encountered by employees, accounting for 38% of all attack methods.
AI concerns are growing
AI-generated attacks aren't dominant yet, KnowBe4 found, with only 11% citing it as their biggest threat - but cybersecurity professionals are worried about its use among cyber criminals.
When asked about future threats, 60% of respondents expressed greatest concern about AI-generated phishing and deepfakes, followed by ransomware at 48% and shadow IT or unsanctioned AI tools at 42%.
"It’s like preparing for a hurricane while still dealing with daily rain - organisations know the big storm is coming," researchers said.
"While today’s threats still mainly involve someone pretending to be the CEO asking for gift cards, security teams are bracing for a future where that 'CEO' might video call you with a perfectly cloned voice and face."
Investment is needed to bolster staff awareness
Enterprise cybersecurity budgets are increasing to counter rising threats, the study found, with 65% revealing they expect bigger spending moving forward.
Just 4% of respondents said they expect their cybersecurity budget to fall.
The biggest priority is email security, a key focus for 45%, followed by security awareness training at 37%, and cloud security at 34%.
However, while 32% believe that AI-based tools will have the greatest impact, only 26% are prioritizing this for funding.
"These investment priorities reflect a growing understanding that effective security requires a harmonious blend of technical controls and human capabilities," the researchers said.
"With email security and security awareness training leading the investment priorities, organisations are clearly recognizing the interconnected nature of technical and human risk."
Nearly 90% of respondents expressed confidence in their ability to respond to cyber attacks - a bit of a problem, said the researchers, given the high prevalence of successful attacks.
"The findings highlight that bridging the gap between perceived value and investment in integrated human risk management is crucial," said Malik.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- A guide to cyber security certification and training
- Employee phishing training is working – but don’t get complacent
- Our guide to the best online cybersecurity training courses
-
‘Always on’ culture is harming productivity, so workers are demanding ‘digital silence’ to get on with tasksNews Tired of relentless notifications, emails, and messages? You're not alone. Workers across a range of industries are calling for 'digital silence' periods to boost productivity.
-
Dell Pro 14 Plus laptop reviewReviews A solid business laptop, but awkward pricing and bland design see it struggle to make a mark
-
Apple just released an emergency patch for a zero-day exploited in the wild – here’s why you need to update nowNews Apple is warning millions of users of iPhones, iPads and Macs to update their software to protect against an out-of-bounds write vulnerability
-
Cyber teams are struggling to keep up with a torrent of security alertsNews Fragmented identity security processes are creating blind spots, and the proliferation of tools doesn't help
-
The Allianz Life data breach just took a huge turn for the worseNews Around 1.1 million Allianz Life customers are believed to have been impacted in a recent data breach, making up the vast majority of the insurer's North American customers.
-
US authorities just took down 'one of the most powerful DDoS botnets to ever exist’ with help from AWSNews The Rapper Bot botnet was responsible for a series of large-scale DDoS attacks on government agencies and tech companies. Now it's gone.
-
UK telecoms firm takes systems offline after cyber attackNews The Warlock ransomware group said it was selling a million stolen documents
-
Everything we know about the Workday data breach so farNews HR technology firm Workday has confirmed a data breach after threat actors gained access to a third-party CRM platform.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
-
Using DeepSeek at work is like ‘printing out and handing over your confidential information’News Thinking of using DeepSeek at work? Think again. Cybersecurity experts have warned you're putting your enterprise at huge risk.
