CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Training & Awareness

The Biggest Inhibitor of Cybersecurity: The Human Element

Essential steps such as security awareness training, MFA, and Zero Trust identity management help organizations reduce the human element and stay ahead in the cybersecurity curve.

Global spending on information security is projected to reach $212 billion in 2025, reflecting a 15.1% increase from 2024, according to Gartner’s latest forecast. Despite this surge in investment, breaches remain rampant, as seen in recent incidents such as the ransomware attack on Change Healthcare and a brute-force campaign exploiting vulnerabilities in various Cisco products. While technology plays an essential role in fortifying organizations against cyber threats, adversaries continue to exploit the weakest link in the defense chain: the human element. According to the 2024 Verizon Business Data Breach Investigations Report (DBIR), the human element was a component of 68% of all data breaches. It is often said that the most sophisticated security controls can be undermined by a single click from an uninformed or careless employee. This highlights an urgent question: how can organizations strengthen this vulnerable link in cybersecurity?

The Current Threat Landscape

Despite advancements in cybersecurity tools, strategies, and AI, the human element remains a constant vulnerability. As fallible beings, people are susceptible to phishing and social engineering tactics that attackers use to infiltrate IT environments. The 2023 ransomware attack on MGM Resorts is a case in point: it began with social engineering when a threat actor tricked a help desk attendant into resetting a password without proper verification.

Inadequate password practices and accidental data leaks further expose fortified networks to cyber threats. Increasingly, attackers do not have to “hack in”; they simply log in using weak, default, stolen, or otherwise compromised credentials.

Many of these breaches are preventable through basic cyber hygiene. However, organizations often allocate the majority of their security budgets toward protecting network perimeters rather than implementing measures to counteract the human element—a crucial oversight.

Strategies to Address the Human Element

In a world inundated with cyber threats, focusing solely on technology is akin to equipping a home with advanced security systems but leaving the front door open. An effective cybersecurity strategy requires a balanced approach encompassing people, processes, and technology, with a keen awareness of the human element.

  • Security Awareness Training: Educate employees on the tactics used in social engineering, phishing, smishing, and ransomware attacks, and teach them how to recognize and avoid these threats. Many organizations conduct a one-time phishing exercise to meet compliance requirements, overlooking the fact that cyber threats constantly evolve. Regular, engaging training is essential to reduce human error, whether through virtual escape rooms, phishing games, advanced courses, or newly emerging AI-powered tabletop exercises.
  • Identity Management: Access control is often a weak link in cybersecurity, where balancing data availability with unauthorized access prevention is critical. Privileged accounts are especially attractive to attackers, as they can serve as gateways to entire networks. Organizations should adopt strict access control policies, monitor access continuously, and consider implementing a Zero Trust model that adheres to the principle of “never trust, always verify.” Other best practices include Single Sign-On (SSO) to reduce password complexity, multi-factor authentication (MFA) for added security, regular audits of password policies, and enforcing account lockouts after multiple failed login attempts.
  • Balance your Security Investments: While cyber risk can never be fully eliminated, it can be managed effectively by balancing investments between preparedness, prevention, and incident response. Gartner’s “Maverick Research: You Will be Hacked, So Embrace the Breach” report underscores this, advocating for resilience over pure defense. Splitting cybersecurity budgets between these key areas allows organizations to better anticipate, withstand, and recover from incidents, strengthening their overall cybersecurity posture.

Conclusion

Many breaches can be avoided by implementing basic cybersecurity measures, as outlined in guides like “Phishing Attacks: Best Practices for Not Taking the Bait.” Essential steps such as security awareness training, MFA, and Zero Trust identity management help organizations reduce the human element and stay ahead in the cybersecurity curve, paving the way for a more resilient digital future.

Advertisement. Scroll to continue reading.
Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.