Employee distraction is now your biggest cybersecurity risk

A distracted employee sitting at an office desk staring into space while working on a laptop computer.

(Image credit: Getty Images)

It's not sophisticated threats causing the majority of cyber incidents, according to new research, it’s distracted staff.

A recent study from KnowBe4 found that distraction is the top reason organizations fall victim to cyber attacks, cited by 43% of cybersecurity professionals.

A lack of security awareness training was close behind at 41%, with the pressure to act quickly at 33% and fatigue or burnout at 31%. Only 17.1% of respondents attributed successful cyber attacks to the sophistication of the threats themselves.

KnowBe4 said the study highlights the serious risks faced by staff on a daily basis and urged enterprises to ramp up support for workers.

"Cyber risk is not just about advanced technology; it is about human bandwidth and the cognitive load of today’s fast-paced digital workplace,” said Javvad Malik, lead cybersecurity awareness advocate at KnowBe4.

Unsurprisingly, the main threat faced by workers was phishing, accounting for 74% of all incidents. Respondents noted staff frequently faced social engineering techniques such as employee impersonation - an issue that's grown in both scale and intensity in recent years.

Three-in-ten cited social engineering via social media platforms such as LinkedIn as a major issue.

Malicious links or attachments were also among the top risks encountered by employees, accounting for 38% of all attack methods.

AI concerns are growing

AI-generated attacks aren't dominant yet, KnowBe4 found, with only 11% citing it as their biggest threat - but cybersecurity professionals are worried about its use among cyber criminals.

When asked about future threats, 60% of respondents expressed greatest concern about AI-generated phishing and deepfakes, followed by ransomware at 48% and shadow IT or unsanctioned AI tools at 42%.

"It’s like preparing for a hurricane while still dealing with daily rain - organisations know the big storm is coming," researchers said.

"While today’s threats still mainly involve someone pretending to be the CEO asking for gift cards, security teams are bracing for a future where that 'CEO' might video call you with a perfectly cloned voice and face."

Investment is needed to bolster staff awareness

Enterprise cybersecurity budgets are increasing to counter rising threats, the study found, with 65% revealing they expect bigger spending moving forward.

Just 4% of respondents said they expect their cybersecurity budget to fall.

The biggest priority is email security, a key focus for 45%, followed by security awareness training at 37%, and cloud security at 34%.

However, while 32% believe that AI-based tools will have the greatest impact, only 26% are prioritizing this for funding.

"These investment priorities reflect a growing understanding that effective security requires a harmonious blend of technical controls and human capabilities," the researchers said.

"With email security and security awareness training leading the investment priorities, organisations are clearly recognizing the interconnected nature of technical and human risk."

Nearly 90% of respondents expressed confidence in their ability to respond to cyber attacks - a bit of a problem, said the researchers, given the high prevalence of successful attacks.

"The findings highlight that bridging the gap between perceived value and investment in integrated human risk management is crucial," said Malik.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.