Introduction
When thinking about what makes up IT security, high-tech firewalls, robust encryption algorithms, and advanced threat detection systems are often the first things that come to mind. But no matter how advanced security measures are, it is the human element that can bolster or undermine an organization’s entire cyberdefense system.
This means that, whether through accidental actions or intentional misconduct, an organization’s employees can place IT systems and data in serious peril. Any organizational security strategy must address the likelihood of human-generated liabilities.
Accidental Missteps
While it is widely recognized that many cyberdefense measures are designed to thwart malicious actors, it is less commonly understood that data breaches can also result from accidental human error. Research shows employee mistakes are the source of security incidents 88% of the time.1 Most often, this occurs through carelessness or lack of knowledge.
A common example is an employee falling for a phishing email (or SMS Phishing “Smishing”) by clicking on a link or downloading an attachment which opens the door to a cyberattack. It is easy to see how this happens, since phishing schemes are common and are often cleverly disguised as legitimate communications. Phishing is just one of many forms of social engineering. Pretexting, when an attacker impersonates someone with a reason to request information (e.g., a bank representative or law enforcement officer), is another scenario where information such as social security numbers (SSNs) or financial details may be inadvertently given away. Another unintentional risk includes employees using easily guessed or recycled passwords. More than 80% of confirmed breaches are related to stolen, weak, or reused passwords.
Whether through accidental actions or intentional misconduct, an organization’s employees can place IT systems and data in serious peril. This is why it is critical that any security strategy address the likelihood of human-generated mayhem.
Insider Threats
Intentional threats originating inside an organization are less common but do still happen. Consider an angry or unscrupulous employee who purposely exposes confidential data or disrupts organizational systems for revenge or financial gain. A recent example of this type of threat is the 2024 data breach at Disney,2 which exposed over 1TB of confidential data and was executed by a cybercrime group with the help of a malicious insider. In this particular case, Disney could have leveraged User and Entity Behavior Analytics (UEBA),3 where an AI system could establish baseline behaviors for users and devices, detecting anomalies that might indicate malicious activity. By analysing behavior patterns, AI can identify potential insider threats who might misuse their access privileges.
Understanding the “Why”
One of the greatest contributors to human-generated security risk is the lack of proper awareness and training. Even in the tech industry, employees often do not fully understand the scope of risk or how their actions can adversely impact their organization.
This responsibility rests on the organization and those tasked with IT security. Cybersecurity training for employees is often comprised of short, one-time sessions on IT security using outdated materials that do not address the evolving nature of cyberthreats.
As a byproduct of this lack of awareness, employees may develop a false sense of security. They assume the IT department has security under control, and the tools it uses, such as antivirus software and firewalls, will catch any threat. This leads employees to underestimate the potential impacts of any careless behavior and thus introduce risk.
Strategies To Mitigate Human Risk
The first line of defense in minimizing human-related risk is employee education and training. However, this effort cannot be intermittent or superficial. Effective IT security training must be ongoing.
Organizations should prioritize regular training sessions that cover the most current and relevant cybersecurity information, such as preventing phishing and social engineering attacks, password management best practices, ransomware awareness, data privacy and protection, malware awareness, and secure remote work practices, among others will help employees stay vigilant and keep security at the forefront of their minds.
Interactive and hands-on training can also be highly beneficial in helping employees comprehend the nature of cyberattacks and how to detect them. For instance, conducting fake phishing exercises to observe how employees respond to threats can provide valuable insights for improvement without any real risk involved.
While education is crucial, it must be supported by strong, clear, and enforceable organizational policies that cover everything from password management to data access controls. Such policies provide a solid framework for employees to follow. They should also be updated regularly to keep pace with new threats and evolving regulations, and organizations must ensure that all employees adhere to them. Policies should take into consideration organizational tendencies to prioritize meeting tight deadlines and performance targets and ensure that strict practices are in place to avoid shortcuts in security protocols that leave systems vulnerable to breaches. The key is to ensure that security becomes an integral part of the workflow, rather than an afterthought. Organizations could achieve this by embedding cybersecurity in their development lifecycle (DevSecOps), appointing security champions/advocates within development or operations teams, and integrating security reviews into Agile Sprint sessions.4
Even with the most vigilant and informed employees, mistakes still happen. This is where technology plays a role in supporting human efforts. Multifactor authentication (MFA), encryption, and automated threat detection can provide additional layers of protection. These tools can function as a safety net, catching errors before they lead to a full-blown security incident. With the appropriate combination of tools, along with human vigilance and alertness, organizations can better protect themselves against cyberthreats.
The good news is that advancements in artificial intelligence (AI) and machine learning (ML) are also making it easier for organizations to identify suspicious behavior, such as unusual login times or patterns, which may indicate a potential breach so they can stop it before damage occurs.
Managing false positives is a critical challenge when using AI and ML in cybersecurity, especially since these technologies often generate large volumes of alerts. If not effectively managed, this can overwhelm security teams, causing them to overlook actual threats or waste resources on investigating non-issues. Companies should fine-tune their AI models and algorithms and continuously train them over time.
A Human-Centric Approach to IT Security
Humans are often the weakest link in IT security, but they do not have to be. To strengthen overall security, organizations must address both unintentional and intentional risk that arises from human behavior.
By implementing a comprehensive approach that includes employee education, clearly defined security policies, and supportive technologies, organizations can minimize the vulnerabilities related to human actions and create a more secure environment.
Your organization’s security depends on it.
Endnotes
1 CISOMAG, ““Psychology of Human Error” Could Help Businesses Prevent Security Breaches,” 12 September 2020
2 Abrams, L.; “Disney Ditching Slack After Massive July Data Breach,” BleepingComputer, 20 September 2024; Whitten, S.; “Disney to Ditch Slack Following July Data Breach,” CNBC, 19 September 2024
3 Fortinet, “What is UEBA?"
4 Thakur, M.; “What is Agile Sprint?,” Educba Blog
Amit Patel
Is a senior vice president at Consulting Solutions, one of the fastest-growing IT workforce and consulting services providers in North America, where he leads its national consulting practice.
