Despite the plethora of advanced cyber-defence solutions on the market, cybercrime continues to soar, largely because the weakest link in the cyber-defence chain – humans – remain fallible. Just one cybersecurity mistake by an employee can have devastating impacts on businesses.

This is according to Garith Peck, Managing Executive of Cybersecurity at BCX, speaking during a Cybersecurity Awareness month podcast hosted by BCX: “When people think about cyber-risk, they tend to think about hackers, but the real risk is much closer to home – it is us. Humans are the most common threat vector. For example, cybersecurity fatigue is a reality, where users and cyber-security teams are so bombarded with alerts, rules and security messages that vigilance drops and mistakes creep in. When humans slip, that is when threat actors strike.”

Peck notes that there is no such thing as a foolproof security system, and that traditional approaches to cybersecurity are inadequate when it is becoming easier to bypass perimeter security and gain access to organisations via their people.

Human error + AI widens security gaps

Speaking to Peck, Chris Bester, Consultant in Cybersecurity Management & Governance at BCX, says employees are vulnerable to social engineering, make genuine mistakes, and often bypass complex security measures just to get their jobs done. Employees or contractors may also misuse access, either maliciously or negligently. 

“Everyone is bombarded with notifications and digital noise all day long, so people get message fatigue and take cognitive shortcuts. With all this digital overload, people make mistakes, and the threat actors are counting on us to do something stupid,” Bester says.

According to Gartner, human error is a major contributor to cyber-breaches: Gartner expects human failures and a shortage of cybersecurity staff to be responsible for over half of all significant cyber-incidents in 2025, while Mimecast’s State of Human Risk SOHR 2025 Report says human error accounts for as many as 95% of all data breaches. These errors could include oversights or mistakes like network misconfigurations, weak passwords, or accidental data sharing. 

Says Bester: “Threat actors are big organisations – they aren’t just ‘script kiddies’ around the corner anymore, and they employ some of the best behavioural scientists and psychologists to help them target individuals.”

As cybercriminals become increasingly sophisticated and harness artificial intelligence (AI) to improve their attack success rate, humans are more vulnerable than ever. AI is being used to gather data on victim organisations, automate cyber-attacks, and craft very convincing phishing mails or deepfake audio or video, making it exceedingly difficult for victims to discern which mails or direct messages are legitimate, and which are scams.

With the advent of generative AI, many employees unwittingly process sensitive corporate information using public LLMs such as ChatGPT. Because many organisations don’t yet have formalised AI guardrails or have not yet put their own internal AI platforms in place, there is a real risk of customer names and details or corporate data entering the public domain in this way.

The consequences of human error

A single click on a malicious link can have massive repercussions for the organisation and the individual who clicked on the link. For the organisation, the fallout could include significant financial losses, costly downtime, possible penalties, and significant reputational damage.

With limited resources to help them recover, SMEs are particularly hard hit, and many have had to shut down in the wake of a serious cyberattack. 

For individuals, a cyber-breach could also mean the loss of their job.

Reviewing traditional approaches  

Peck says traditional approaches to raising employee awareness of cyber-risks are no longer enough to mitigate the human risk factor. 

“There is a downside to some of the cybersecurity education tactics because employees are bombarded with phishing tests and constant MFA prompts, so stress and fatigue creep in,” Peck comments. 

“People become numb to the education and awareness tests, and they start responding to them like a tickbox exercise,” Bester adds.

Forrester says traditional Security Awareness & Training (SA&T) is insufficient, because it often focuses on checking boxes and compliance rather than genuinely changing behaviour. Forrester’s research suggests that companies need to shift to a Human Risk Management (HRM) approach for true cybersecurity.

Clamping down by imposing more layers of security, such as multiple passwords and multi-factor authentication, may also prove counter-productive, as employees tend to find workarounds when security protocols become too onerous and slow them down. 

This is underlined by a Gartner survey, which revealed that 74% of employees said they would be willing to bypass cybersecurity guidance if it helped them or their team achieve a business objective. 

The solution to the human factor challenge is a multifaceted one, Peck comments: “One way is through education, but what trumps education is culture. You can train people all year, but if cybersecurity isn’t part of the culture of the organisation, and the leaders themselves bypass MFA and rush through security, the company’s security culture collapses.”

“Culture can’t be a focus for just one month of the year, it needs to be a focus all the time across the enterprise and in people’s daily lives,” he adds.

Bester and Peck agree that organisations need to foster a mindset where cybersecurity is everyone’s responsibility, and where employees feel confident that they can report their mistakes or any suspicious activities without fear of reprimand. 

Instilling a security culture

Cybersecurity and cyber-mindfulness should be integrated into onboarding, with continuous training and awareness programmes to keep cybersecurity top of mind. Phishing simulations, workshops and cybersecurity awareness gamification may help to instill caution and awareness in teams. 

Says Peck: “It’s about building resilience in people. We need to be cognisant and respect human limits, so it is crucial to implement clear policies and procedures across the entire cybersecurity landscape, from password processes to incident response. Organisations should measure the success of these policies, and regularly reassess and adjust their strategies based on their effectiveness and the changing risk landscape.

Technology continues to play an important role in mitigating cyber-risk, so organisations should look to tools that support secure behaviour, including Zero Trust solutions and multi-factor authentication.

Building a culture of cyber-awareness isn’t just about training and protocols; it’s about creating an environment where security is ingrained in every action, for cyber-safe organisations.

“With the right culture, people can become our strongest defence,” Peck concludes.

To listen to the full podcast, go to https://www.bcx.co.za/bcx-connects/