As AI helps attackers create more convincing phishing emails and deepfakes, user behavior is a major cybersecurity challenge for businesses. In late 2024, Kaseya research found human error is the main cybersecurity hurdle for 89% of firms.
User-related security issues – such as poor user practices and gullibility – was the largest worry (45%), while lack of end-user security training (44%) followed close behind.
There are a number of reasons for this, including employees falling for social engineering scams or overriding company guidance to do their job more quickly.
So, what can businesses do to prevent the increasing number of incidents caused by human error and how can they ensure more secure practices going forward?
Human error: Risky foundations
Human-caused breaches often happen due to a lack of secure foundations, in the form of poor organizational security controls or little training. Therefore accountability lies with the business itself, rather than with the employee making the mistake, experts say.
Many security breaches are still caused by businesses not getting the basics right, says Jonathan Lee, director of public sector relations at Trend Micro.
“Not having multi-factor authentication (MFA) in place, failure to adhere to password policies, re-using the same credentials across different systems, and not mitigating against known vulnerabilities by deploying patches in a timely manner are still causing issues,” he says.
There are “far too many examples” of poorly-designed security systems implemented “in a way that enables and facilitates breaches through employee manipulation”, adds Kai Roer, CEO and co-founder of Praxis Security Labs.
He points out that humans are bad at choosing new passwords if asked to change them too often: “They just take the previous password and add an incremental number.
“The challenge is not actually that these passwords are easy to hack; it is that employees are being forced to do things that someone decided was a good idea, without thinking through the consequences and without understanding how the human mind works.”
Therefore, blaming “user behavior” as the biggest cybersecurity challenge is “a convenient but lazy narrative that shifts focus away from the root causes of risky actions”, says Tim Ward, CEO and co-founder of ThinkCyber Security. “Employees are often blamed for breaches, but organizations rarely ask why mistakes happen in the first place.”
He points out that many employees are required, as part of their jobs, to process emails and click on links. “Holding them solely accountable for mistakes in these tasks seems unfair.”
This is a long-held criticism of phishing training, which if not handled correctly can end up overly punishing staff. Overly-realistic tests or those centered around a contentious subject also catch headlines, such as in 2024 when the University of California Santa Cruz (UCSC) used a fake Ebola virus alert to conduct phishing training.
This is a long-held criticism of phishing training, which if not deployed in a considered manner can punish staff for diligence and court controversy. For example, in 2024 the University of California Santa Cruz (UCSC) was criticized by experts for using fake Ebola virus alert to conduct phishing training.
Nevertheless, training is a must for staff. Poor user behavior often stems from a lack of knowledge and training, says Damian Garcia, head of GRC Consultancy at IT Governance. “Many security incidents begin with a phishing email – and some people may be totally unfamiliar with the signs of phishing, making them more prone to falling for an attack.”
Training away human error
New technology such as easy-to-access generative AI is making attacks more sophisticated, adding to the risk that employees may fall for scams such as phishing emails.
Taking this into account, training “is a cornerstone of an organization’s defense against cybersecurity threats”, says Mark Raeburn, cyber resilience lead at Accenture UK. “Employees are the first line of defense, so their ability to identify and report suspicious activity makes all the difference.”
However, effective training requires more than a one-size-fits-all approach, Raeburn says. Simulations that replicate phishing attempts are “invaluable in helping employees recognize and react to potential scams”, he advises.
Education can be done in a number of ways, using formal online cybersecurity courses, or via internal mechanisms such as email or noticeboards, says Matt Ellison, technical director EMEA at Corelight.
He lists some key factors that can be included in training to help keep the business safe: “Simply reminding staff that the senior leadership team would never ask people to bypass processes and that unusual requests with a high degree of urgency should always be double checked, especially when being asked to step outside regular processes.”
It's also very useful to help employees understand the intent and mindset of attackers and “how they strive to take advantage of people's typical behaviors”, says Ellison. “Employees who carry a healthy degree of skepticism when faced with something that doesn't seem right, is unusually urgent, is outside of normal processes, or is too good to be true are much more likely to not fall victim to an attack."
The frequency and structure of cybersecurity training plays “a crucial role” in its effectiveness, says Raeburn, who adds that organizations should look to establish quarterly sessions as a baseline.
Effective training incorporates various methods to engage staff and give them the opportunity to put their learning to the test, says Paul Cragg, CTO at NormCyber. “Combining bite-sized, easily digestible training with hands-on simulations means staff can retain key concepts and effectively apply best practices to real-life cyber-attack scenarios.”
Raeburn describes how Accenture deploys a strategic learning program that uses gamification and modern techniques to ensure staff can become ‘information security advocates’. “Employees who complete the program are significantly less likely to contribute to a security incident and are vital for protecting the company and our data.”
Testing is also vital when it comes to ensuring staff are retaining information and are adequately prepared in case of an attack. Cragg says that all of the above, including phishing simulations, asking knowledge and confidence-based questions after training sessions, and providing interactive workshops, help boost security.
Preventing human error in cybersecurity starts from the top down, ensuring employees feel empowered to report suspicious activity without feeling blamed. A security-aware culture is key, says Garcia. “Mistakes will inevitably happen, but staff should be encouraged to speak up rather than be punished, which in the end creates a stronger and more transparent security environment.”
-
MSPs beware – these two ransomware groups are ramping up attacks and have claimed hundreds of victimsNews The Akira and Lynx ransomware groups are focusing on small businesses and MSPs using stolen or purchased admin credentials
-
The UK’s ‘chronic shortage of cyber professionals’ is putting the country at riskNews While high-profile attacks grab headlines, a security researcher warns the UK's "chronic shortage of cyber professionals" is left unaddressed by government, industry, and academia.
