It's not sophisticated threats causing the majority of cyber incidents, according to new research, it’s distracted staff.
A recent study from KnowBe4 found that distraction is the top reason organizations fall victim to cyber attacks, cited by 43% of cybersecurity professionals.
A lack of security awareness training was close behind at 41%, with the pressure to act quickly at 33% and fatigue or burnout at 31%. Only 17.1% of respondents attributed successful cyber attacks to the sophistication of the threats themselves.
KnowBe4 said the study highlights the serious risks faced by staff on a daily basis and urged enterprises to ramp up support for workers.
"Cyber risk is not just about advanced technology; it is about human bandwidth and the cognitive load of today’s fast-paced digital workplace,” said Javvad Malik, lead cybersecurity awareness advocate at KnowBe4.
Unsurprisingly, the main threat faced by workers was phishing, accounting for 74% of all incidents. Respondents noted staff frequently faced social engineering techniques such as employee impersonation - an issue that's grown in both scale and intensity in recent years.
Three-in-ten cited social engineering via social media platforms such as LinkedIn as a major issue.
Malicious links or attachments were also among the top risks encountered by employees, accounting for 38% of all attack methods.
AI concerns are growing
AI-generated attacks aren't dominant yet, KnowBe4 found, with only 11% citing it as their biggest threat - but cybersecurity professionals are worried about its use among cyber criminals.
When asked about future threats, 60% of respondents expressed greatest concern about AI-generated phishing and deepfakes, followed by ransomware at 48% and shadow IT or unsanctioned AI tools at 42%.
"It’s like preparing for a hurricane while still dealing with daily rain - organisations know the big storm is coming," researchers said.
"While today’s threats still mainly involve someone pretending to be the CEO asking for gift cards, security teams are bracing for a future where that 'CEO' might video call you with a perfectly cloned voice and face."
Investment is needed to bolster staff awareness
Enterprise cybersecurity budgets are increasing to counter rising threats, the study found, with 65% revealing they expect bigger spending moving forward.
Just 4% of respondents said they expect their cybersecurity budget to fall.
The biggest priority is email security, a key focus for 45%, followed by security awareness training at 37%, and cloud security at 34%.
However, while 32% believe that AI-based tools will have the greatest impact, only 26% are prioritizing this for funding.
"These investment priorities reflect a growing understanding that effective security requires a harmonious blend of technical controls and human capabilities," the researchers said.
"With email security and security awareness training leading the investment priorities, organisations are clearly recognizing the interconnected nature of technical and human risk."
Nearly 90% of respondents expressed confidence in their ability to respond to cyber attacks - a bit of a problem, said the researchers, given the high prevalence of successful attacks.
"The findings highlight that bridging the gap between perceived value and investment in integrated human risk management is crucial," said Malik.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- A guide to cyber security certification and training
- Employee phishing training is working – but don’t get complacent
- Our guide to the best online cybersecurity training courses
-
The move to a digital network and its role in the bigger picture of achieving true digital transformation: how SMBs can set themselves up for successSupported Beyond the dial tone, the digital switchover is the key to SMB success
-
Middlesbrough Council boosts cybersecurity spending, strategy in response to repeated cyberattacksReviews Councils across the UK have publicly struggled with maintaining services in the face of major cyber disruption
-
A malicious MCP server is silently stealing user emailsNews Koi Security says it's discovered the first malicious MCP server in the wild, exposing a risk to the entire ecosystem
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
Cyber skills shortages are pushing firms into dangerous shortcuts – and it’s putting them at huge risk of security breachesNews Chronic cyber skills shortages mean many businesses are implementing quick fixes
-
Pentesters are now a CISOs best friend as critical vulnerabilities skyrocketNews Attack surfaces are expanding rapidly, but pentesters are here to save the day
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
-
Generative AI attacks are accelerating at an alarming rateNews Two new reports from Gartner highlight the new AI-related pressures companies face, and the tools they are using to counter them
-
A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’News The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
-
‘Channel their curiosity into something meaningful’: Cyber expert warns an uptick of youth hackers should be a ‘wake-up call’ after teens charged over TfL attackNews Encouraging youths to engage in positive tech initiatives will guide them down the right path and away from nefarious activities
