Getting your organization battle-ready for the new era of cyberthreats
Introduction
Managing the human element is the core challenge in information security. Technical defenses are essential but can’t address the unpredictability and impact of human behavior, which remains the leading vulnerability that attackers exploit.
Most organizations establish policies for accessing sensitive data and provide security awareness training to encourage compliance. Despite these efforts, major data breaches still occur daily.
The ongoing increase in cyberattacks is often due to overreliance on technology for protection. While technology strengthens defenses, people remain the primary line of defense in information security.
Key Insights
• The human element (errors, social engineering, misuse of credentials) is a factor in roughly 68% of data breaches, as shown in Verizon’s 2024 Data Breach Investigations Report.[1]
• 52% of cyber incidents in recent years have been directly linked to remote and hybrid work environments, highlighting how remote work has permanently expanded the attack surface.[2]
• Egress’s latest email security research reported that 94% of global organizations experienced email security incidents in the past 12 months, and OPSWAT/Ponemon found 61% of organizations had incidents involving unauthorized access to sensitive data by insiders in the previous two years.[3][4]
New Attack Vectors Proliferating in the Era of Hybrid Work
“With its rapidly expanding attack surfaces, the hybrid workplace is a hacker’s utopia.”
The human element in information security has become increasingly prominent as work extends beyond traditional office settings. Remote and hybrid work introduce new security threats, as employees use various, often personal, devices. The attack surface has grown so much that defining IT assets solely as physical devices is nearly impossible, making traditional perimeter security measures obsolete.
Threat actors frequently target remote workers, exploiting multifactor authentication and other standard measures. They anticipate that remote employees may be more distracted and less likely to report suspicious activity, which encourages attackers to launch phishing campaigns when oversight is limited.
Human error has always been central to information security challenges. Employees connecting remotely are often not security experts and may develop poor habits, such as ignoring updates, reusing passwords, or clicking on malicious links. While technology can mitigate these risks, its effectiveness depends on users’ understanding and engagement.
Balancing user experience and Information Security
The flexibility of remote work is essential to modern business but can lead to security lapses. Employees focused on efficiency may use risky workarounds if secure processes are cumbersome. For example, slow document-sharing may prompt use of unsecured channels such as personal email or messaging apps.
Since people often seek shortcuts, security leaders must balance security and usability. Employees require efficient tools that fit their workflows, or they may bypass IT guidance. The same principle applies to customers, particularly in sectors where complex security measures discourage compliance.
The Divergence between Human Error and Malicious Intent
“The key question is not who made the mistake, but why it happened in the first place.”
When incidents occur, blame is often assigned to individuals. In information security, it is more important to understand why a mistake happened rather than who made it.
To address this, organizations must trust employees to identify and report potential issues. In a culture of blame, employees are less likely to report suspicious activity, which can delay detection and containment of data breaches, giving attackers more time to exploit vulnerabilities.
Information security leaders often associate data breaches with malicious intent, especially given the rise in insider threats. For example, disgruntled employees may deliberately expose sensitive data, and corporate espionage remains a concern in sectors like financial services. While these threats are significant, human error is still the most common cause of cyberattacks and data leaks. Additionally, environments lacking trust are more likely to foster malicious intent internally.
Building trust is fundamental to a security-aware culture. Employees must feel safe reporting issues to actively defend against threats. Without trust, organizations undermine the effectiveness of the human factor—leaving them more vulnerable to cyber incidents.
The importance of trust and transparency in Information Security
Bridging the gap between management and employees is a significant challenge for security leaders. For example, CISOs are often misunderstood by other departments and perceived as leading the department of ‘no.’
Even when information security leaders implement new security frameworks—encompassing documentation, training, and technology—these efforts often fail without trust. For maximum impact, security discussions should include all business departments, including those with lower-level employees. This collaboration prevents a false sense of security when new frameworks are introduced and shows how engagement delivers results.
While malicious intent contributes to many breaches, most cyber incidents begin with human error by unprepared employees. The most effective countermeasure is cultural, involving the building of trust and accountability. Information security leaders who foster this environment can implement effective security awareness programs that engage the entire organization, promoting a culture of security awareness throughout the organization.
Building a Security-Aware Corporate Culture with Education
“Cybersecurity is everyone’s responsibility, which is why everyone needs to be involved.”
After establishing a culture of trust, accountability, and transparency, information security leaders should implement a security awareness training program to strengthen resilience against human error. Effective leaders position themselves as champions of change, engaging the entire team from the top down. By leading through continuous support and positive reinforcement, they become leaders that employees are willing to learn from, which is more effective than focusing solely on a ‘strong work ethic.’
An effective security awareness program engages employees in ways relevant to them. To achieve this, avoid focusing only on business needs; employees should see how training benefits them personally. This emphasis is especially important in remote work settings, where employees use their own devices. When employees understand their role in company security, they also improve their personal security. Ultimately, the focus should be on employee outcomes and how these drive desired security behaviors.
Breaking away from conventional training formats
Many information security training programs are criticized for being dull and overly technical, making them difficult for employees to relate to. Since traditional formats, such as workshops and seminars, often fail to engage participants and result in poor retention, rethinking training methods is crucial. Because the human element drives a security-aware culture, training should focus on people rather than technology.
Instead of overwhelming employees with technical content, simulated phishing scams and other real-world, controlled attacks are more effective in educating them. Information security leaders can further enhance training by customizing scenarios based on employees’ previous responses, thereby continuously improving effectiveness. Security awareness training should be ongoing and integrated into daily business operations.
Security awareness training can be engaging and enjoyable. Forward-thinking information security leaders incorporate gamification, utilizing elements such as points, badges, and ranks to motivate employees and foster engagement. Gamification fosters a healthy competitive environment, promoting a collaborative culture where everyone is held accountable.
How Technology Helps to Mitigate the Risk of Human Error
“If automation mitigates human error, then why do mistakes still happen?”
Many managers tout automation as the solution to human error, but this approach overlooks the fundamental point that people and technology must work together to mitigate risk. For this reason, technology should strike the right balance between ease of use and security. Even then, no technical solution can be relied upon entirely to overcome the human element that is integral to good information security hygiene. For example, even multifactor authentication can be bypassed by exploiting human unpreparedness, as demonstrated by modern phishing-as-a-service platforms that proxy logins and steal session tokens.[6] This is why people, processes, and technology must work together to tackle the latest threats.
Information security leaders should view technology as an enabler of better security habits, not a standalone solution. For example, while email spam filters block many threats, they may not detect sophisticated phishing scams using compromised legitimate accounts. Employees should view these tools as conveniences that enable them to focus on evaluating the authenticity of the messages they receive.
This principle applies to all technical measures in information security. Policies and best practices should align with the broader security strategy and be clearly communicated to prevent a false sense of security. Technical solutions should inform and educate users, not just block threats. For example, extended detection and response services provide visibility into potential threats, supporting informed decision-making. Ultimately, people remain central to reporting and managing incidents, with technology serving to support and streamline these efforts.
Offsite data backup is another essential technological measure, particularly given the ongoing threat of ransomware. Automated backup and disaster recovery services provide effective protection, allowing employees to focus on preventing social engineering scams that often lead to ransomware attacks.
The right technology enables information security leaders to maintain control over computing assets and promote informed decision-making and positive behaviors among employees. By using simulated social engineering attacks and clear, relatable policies that foster accountability, organizations can prepare both their business and people to address emerging threats.
Final Words
Threat actors increasingly exploit human unpreparedness because it is often easier than bypassing technical defenses. Social engineering relies on the human element, making it essential to place people at the center of your security strategy. Building a strong information security program requires:
• Understanding how the threat landscape has evolved due to the rise of remote work
• Building an organization-wide culture of trust, transparency, and accountability
• Driving security awareness with an engaging and ongoing training program
• Leveraging technology to augment human teams and promote good information security hygiene
Technical measures may block countless social engineering attempts, but a single successful attack can cause significant harm. This is why people remain the first and last lines of defense in your organization.
Sources
[1] Verizon. 2024 Data Breach Investigations Report (DBIR).
[2] Gitnux. Remote Work Cybersecurity Statistics (2025).
[3] Egress. Email Security Risk Report (2024).
[4] OPSWAT & Ponemon Institute. State of File Security / Insider Threat Study (2024).
[5] IBM Security & Ponemon Institute. Cost of a Data Breach Report (2024).
[6] Resecurity; The Hacker News. Coverage of EvilProxy and related phishing-as-a-service platforms used to bypass MFA (2022–2024).
