Global spending on information security is projected to reach $212 billion in 2025, reflecting a 15.1% increase from 2024, according to Gartner’s latest forecast. Despite this surge in investment, breaches remain rampant, as seen in recent incidents such as the ransomware attack on Change Healthcare and a brute-force campaign exploiting vulnerabilities in various Cisco products. While technology plays an essential role in fortifying organizations against cyber threats, adversaries continue to exploit the weakest link in the defense chain: the human element. According to the 2024 Verizon Business Data Breach Investigations Report (DBIR), the human element was a component of 68% of all data breaches. It is often said that the most sophisticated security controls can be undermined by a single click from an uninformed or careless employee. This highlights an urgent question: how can organizations strengthen this vulnerable link in cybersecurity?
The Current Threat Landscape
Despite advancements in cybersecurity tools, strategies, and AI, the human element remains a constant vulnerability. As fallible beings, people are susceptible to phishing and social engineering tactics that attackers use to infiltrate IT environments. The 2023 ransomware attack on MGM Resorts is a case in point: it began with social engineering when a threat actor tricked a help desk attendant into resetting a password without proper verification.
Inadequate password practices and accidental data leaks further expose fortified networks to cyber threats. Increasingly, attackers do not have to “hack in”; they simply log in using weak, default, stolen, or otherwise compromised credentials.
Many of these breaches are preventable through basic cyber hygiene. However, organizations often allocate the majority of their security budgets toward protecting network perimeters rather than implementing measures to counteract the human element—a crucial oversight.
Strategies to Address the Human Element
In a world inundated with cyber threats, focusing solely on technology is akin to equipping a home with advanced security systems but leaving the front door open. An effective cybersecurity strategy requires a balanced approach encompassing people, processes, and technology, with a keen awareness of the human element.
- Security Awareness Training: Educate employees on the tactics used in social engineering, phishing, smishing, and ransomware attacks, and teach them how to recognize and avoid these threats. Many organizations conduct a one-time phishing exercise to meet compliance requirements, overlooking the fact that cyber threats constantly evolve. Regular, engaging training is essential to reduce human error, whether through virtual escape rooms, phishing games, advanced courses, or newly emerging AI-powered tabletop exercises.
- Identity Management: Access control is often a weak link in cybersecurity, where balancing data availability with unauthorized access prevention is critical. Privileged accounts are especially attractive to attackers, as they can serve as gateways to entire networks. Organizations should adopt strict access control policies, monitor access continuously, and consider implementing a Zero Trust model that adheres to the principle of “never trust, always verify.” Other best practices include Single Sign-On (SSO) to reduce password complexity, multi-factor authentication (MFA) for added security, regular audits of password policies, and enforcing account lockouts after multiple failed login attempts.
- Balance your Security Investments: While cyber risk can never be fully eliminated, it can be managed effectively by balancing investments between preparedness, prevention, and incident response. Gartner’s “Maverick Research: You Will be Hacked, So Embrace the Breach” report underscores this, advocating for resilience over pure defense. Splitting cybersecurity budgets between these key areas allows organizations to better anticipate, withstand, and recover from incidents, strengthening their overall cybersecurity posture.
Conclusion
Many breaches can be avoided by implementing basic cybersecurity measures, as outlined in guides like “Phishing Attacks: Best Practices for Not Taking the Bait.” Essential steps such as security awareness training, MFA, and Zero Trust identity management help organizations reduce the human element and stay ahead in the cybersecurity curve, paving the way for a more resilient digital future.