For years, the mantra of IT departments has been: “don’t click on links from strangers”. Today, this advice is not enough. In the age of hybrid working and distributed teams, cybercriminals have adopted the omnichannel model. As business has moved to instant messaging and mobile devices, hackers have followed suit, ruthlessly exploiting our trust in new working tools.
The statistics are inexorable and can be a bucket of cold water for many managers. Last year, the number of cyber incidents caused directly by the human factor increased by 90 per cent. This is not a statistical error – it is a systemic trend. The data flowing from KnowBe4’s latest report, involving thousands of employees and hundreds of security leaders, shows clearly: the traditional defensive walls of companies are cracking not under the onslaught of sophisticated code, but in a clash with human psychology.
The evolution of threats: From the inbox to the employee’s ‘pocket’
While email is still the king of attack vectors – as confirmed by 64 per cent of organisations reporting incidents via this route – its role has changed. Today, email phishing is rarely a target in its own right; it is increasingly used as a vehicle to take over an employee’s digital identity (Account Takeover). Once the criminal is ‘in’, traditional spam filters become useless.
However, the real challenge for modern business is to diversify attack channels. Cybercriminals are well aware that the office worker today is bombarded with notifications from multiple sources simultaneously. They exploit this ruthlessly.
Smishing attacks, or phishing via SMS/text messages, are increasing rapidly (31 per cent of cases). Why are they so effective? Because on smartphones, often used on the go, our vigilance is dormant. We treat SMS as a more personal and urgent channel, and the inability to preview the full URL on a small screen encourages hasty clicks. Added to this is social media, which in 36 per cent of cases becomes a gateway for attackers, blurring the line between the private and professional spheres.
Looking at this data from a business psychology perspective, we see the phenomenon of ‘cognitive overload’. An employee who has to monitor email, Slack, phone and LinkedIn at the same time loses the ability to critically analyse each message. Hackers are no longer just attacking software vulnerabilities – they are attacking our limited attention span. For CISOs, this means one thing: protective technologies must work in the background, because an employee’s ‘attentiveness’ can no longer be counted on 100 per cent.
A false sense of security on collaborative platforms
The most worrying trend to emerge from the market analysis is the increasing effectiveness of attacks on platforms such as Microsoft Teams and Slack. As many as 39 per cent of organisations reported successful attacks carried out through these channels.
Office communicators have fallen into the trap of their own success. They were designed to improve communication and build relationships within a team, which has created a sense of an ‘inner garden’. We trust that the person writing to us on Teams is a verified employee. Cyber criminals exploit this trust (and previously acquired accounts) with much higher efficiency than with cold, formalised email communication.
The threat on collaborative platforms has two faces. The first is external attacks. The second is the mundane mistakes that are an everyday occurrence in 90 per cent of companies: sending a confidential report to the wrong channel, sharing a cloud folder with unauthorised people or pasting a password in a chat window. In an environment where ‘Share’ is clicked faster than thought, data leakage becomes a matter of time.
Enemy at the gates or enemy within? Taboo “Insider Threat”
A human factors analysis needs to address a topic that is still taboo in many companies: disloyalty. Cyber incidents are not just the mistakes of tired employees. Cyber security leaders indicate that in 36 per cent of the cases studied, employees intentionally caused the incident.
Motivations vary, but the consequences are usually lamentable for the business. In almost half (43 per cent) of deliberate cases, competitor data is leaked or sold. This could be customer databases, patent plans or financial strategies.
Most alarming, however, is the helplessness of security systems in the face of the internal enemy. Statistics show that effective ‘timely’ intervention – i.e. blocking an employee from taking data – succeeds in only six per cent of such cases. This proves that DLP (Data Loss Prevention) systems are often badly configured or cannot keep up with the cleverness of a determined individual.
The strategy gap: Technology vs. people
Despite such clear warning signs, the business world still seems invested in solutions to yesterday’s problems. There is a gigantic disparity between the perception of boards of directors and the reality ‘at the bottom’.
The research points to a shocking awareness gap: less than a third of employees feel personally responsible for the company’s security. Worse still, almost half do not consider the data they work on to be the property of the organisation. A ‘not my circus, not my data’ mentality prevails.
Meanwhile, on the decision-making side, we see structural underinvestment. 97 per cent of cyber-security leaders report a need for more resources to combat personal threats. Yet only 16 per cent of organisations have a formalised Human Risk Management programme in place.
Time to redefine security
The 90 per cent year-on-year increase in human factor-related incidents is a signal that cannot be ignored. Investing millions more in firewalls and EDR systems, while neglecting education and behavioural monitoring, is akin to fitting an armoured lock on a cardboard door.
A modern security strategy must go beyond the IT department. It must become part of an organisational culture in which the employee understands that data security is not an ‘IT problem’, but a condition for the stability of their employment.
