It's not sophisticated threats causing the majority of cyber incidents, according to new research, it’s distracted staff.
A recent study from KnowBe4 found that distraction is the top reason organizations fall victim to cyber attacks, cited by 43% of cybersecurity professionals.
A lack of security awareness training was close behind at 41%, with the pressure to act quickly at 33% and fatigue or burnout at 31%. Only 17.1% of respondents attributed successful cyber attacks to the sophistication of the threats themselves.
KnowBe4 said the study highlights the serious risks faced by staff on a daily basis and urged enterprises to ramp up support for workers.
"Cyber risk is not just about advanced technology; it is about human bandwidth and the cognitive load of today’s fast-paced digital workplace,” said Javvad Malik, lead cybersecurity awareness advocate at KnowBe4.
Unsurprisingly, the main threat faced by workers was phishing, accounting for 74% of all incidents. Respondents noted staff frequently faced social engineering techniques such as employee impersonation - an issue that's grown in both scale and intensity in recent years.
Three-in-ten cited social engineering via social media platforms such as LinkedIn as a major issue.
Malicious links or attachments were also among the top risks encountered by employees, accounting for 38% of all attack methods.
AI concerns are growing
AI-generated attacks aren't dominant yet, KnowBe4 found, with only 11% citing it as their biggest threat - but cybersecurity professionals are worried about its use among cyber criminals.
When asked about future threats, 60% of respondents expressed greatest concern about AI-generated phishing and deepfakes, followed by ransomware at 48% and shadow IT or unsanctioned AI tools at 42%.
"It’s like preparing for a hurricane while still dealing with daily rain - organisations know the big storm is coming," researchers said.
"While today’s threats still mainly involve someone pretending to be the CEO asking for gift cards, security teams are bracing for a future where that 'CEO' might video call you with a perfectly cloned voice and face."
Investment is needed to bolster staff awareness
Enterprise cybersecurity budgets are increasing to counter rising threats, the study found, with 65% revealing they expect bigger spending moving forward.
Just 4% of respondents said they expect their cybersecurity budget to fall.
The biggest priority is email security, a key focus for 45%, followed by security awareness training at 37%, and cloud security at 34%.
However, while 32% believe that AI-based tools will have the greatest impact, only 26% are prioritizing this for funding.
"These investment priorities reflect a growing understanding that effective security requires a harmonious blend of technical controls and human capabilities," the researchers said.
"With email security and security awareness training leading the investment priorities, organisations are clearly recognizing the interconnected nature of technical and human risk."
Nearly 90% of respondents expressed confidence in their ability to respond to cyber attacks - a bit of a problem, said the researchers, given the high prevalence of successful attacks.
"The findings highlight that bridging the gap between perceived value and investment in integrated human risk management is crucial," said Malik.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- A guide to cyber security certification and training
- Employee phishing training is working – but don’t get complacent
- Our guide to the best online cybersecurity training courses
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Logitech says zero-day attack saw hackers copy 'certain data' from internal IT systemsNews The incident is believed to have formed part of a campaign by the Clop extortion group that targeted customers of Oracle’s E-Business Suite
-
Google wants to take hackers to courtNews You don't have a package waiting for you, it's a scam – and Google is fighting back
-
Laid off Intel engineer accused of stealing 18,000 files on the way outNews Intel wants the files back, so it's filed a lawsuit claiming $250,000 in damages
-
GitHub is awash with leaked AI company secrets – API keys, tokens, and credentials were all found out in the openNews Wiz research suggests AI leaders need to clean up their act when it comes to secrets leaking
