Humans are the heartbeat of any organization, driving innovation, decision-making, and daily operations; as both customers and employees, they keep businesses afloat. However, with human involvement comes the inevitability of human error. This issue transcends industries—whether it’s the 1999 NASA Mars Climate Orbiter crash caused by a metric conversion error or the 2021 Colonial Pipeline cyberattack triggered by a compromised password. But we aren’t going anywhere, making mitigating human error in cybersecurity a critical focus for all enterprises. Given that, the Arctic Wolf’s 2024 Human Risk Behavior Snapshot is a timely resource. It highlights both sides of this coin, offering insights into the persistent cybersecurity risks tied to human behavior and the opportunities for improvement through better practices and communication.
Arctic Wolf’s report sheds a harsh light on the human vulnerabilities that persist within the cybersecurity landscape. Drawing from a survey of over 1,500 IT and security professionals, this report exposes the deeply ingrained habits and misconceptions that continue to put organizations at risk, even as technology advances. The findings underscore a central point: cybersecurity isn’t just about implementing sophisticated technology; it’s equally about the behaviors and practices of the people using it. The focus on human error in cybersecurity remains critical.
Our takeaways follow; you can get the whole report here.
Overconfidence Meets Reality
One of the most striking revelations from the report is the stark contrast between IT leaders’ confidence in their defenses and the reality of their actions. A staggering 80% of IT and security professionals expressed high confidence in their organization’s ability to resist phishing attacks, yet 64% admitted to having fallen for phishing scams themselves. This disconnect is dangerous, as phishing remains one of the most common and effective means for cybercriminals to breach corporate systems. Additionally, the findings reflect how human error in cybersecurity remains a persistent issue.
Further exacerbating this problem is the overreliance on traditional security measures like passwords. The report found that 68% of IT and security leaders admitted to reusing passwords across systems—despite their knowledge of the risks. Worse, over half of these leaders use memory or spreadsheets to track passwords instead of relying on more secure password management solutions. This poor password hygiene opens organizations to significant risks because IT professionals have access to sensitive administrator accounts and other critical assets.
Human Error: The Greatest Threat
The Arctic Wolf report reiterates that human error remains the dominant cause of cybersecurity breaches. Among cybersecurity vulnerabilities, human error in cybersecurity accounts for between 68% and 95% of security failures, according to various studies. This reality highlights a persistent gap in organizations’ approaches to cybersecurity, which too often focus on technological solutions while overlooking the human element.
Basic cyber hygiene practices, such as regular password updates and the use of multi-factor authentication (MFA), are often ignored. While 93% of IT leaders reported enforcing MFA, only 59% apply it to all users, leaving significant gaps that bad actors can exploit. This lax attitude extends to other critical areas: more than a third of IT leaders admitted to disabling security features on their systems, a reckless behavior that puts entire organizations at risk.
Communication Breakdown
The report highlights a communication gap between IT leadership and end users that further weakens an organization’s cybersecurity posture. Despite 60% of IT leaders claiming their organization has a policy for artificial intelligence (AI) use, less than a third of end users were aware of it. This lack of awareness is particularly troubling as AI becomes more integrated into daily operations, creating potential new vulnerabilities if not managed correctly.
Moreover, security incident reporting is another area fraught with tension and fear. While 85% of IT leaders believe employees feel comfortable reporting security incidents, only 77% of end users share that sentiment. Of the 5% who are uncomfortable, 45% feared that reporting an incident could cost them their job. These fears are not unfounded: the report found that 27% of IT leaders had seen an employee terminated for falling victim to a scam, and 39% said they would be willing to terminate someone in the future under similar circumstances. This punitive approach fosters a culture of fear rather than one of proactive security, where employees feel encouraged to report vulnerabilities or mistakes.
The Role of Security Training
Arctic Wolf emphasizes that traditional security awareness training, often delivered as annual checkbox-style exercises, is no longer sufficient. Instead, organizations need to adopt a continuous, dynamic approach to security education that fosters real behavioral change. The report found a strong correlation between the frequency of security training and improved security practices. Organizations that conducted security awareness training at least quarterly were more likely to enforce stricter password policies and see fewer breaches.
However, there is still considerable room for improvement. Only 49% of end users receive security training at least quarterly, and just 31% described their training as engaging. Without engaging, relevant training, employees will likely tune out, leaving them unprepared to face the evolving threat landscape. More frequent and dynamic training can help mitigate human error in cybersecurity.
Mitigating Human Risk
The report concludes with a roadmap for addressing these persistent human vulnerabilities. It calls for the adoption of a comprehensive human risk management strategy that extends beyond periodic training sessions and into everyday operations. This includes creating a culture where employees feel empowered to report incidents without fear of retaliation and where cybersecurity policies are clearly communicated and understood across all levels of the organization.
The findings also stress the need for organizations to move away from a “blame culture” that punishes employees for making mistakes. Instead, businesses should focus on building a security-first mindset that encourages collaboration and openness, particularly when it comes to reporting and responding to security incidents. By fostering an environment that is supportive, organizations can significantly reduce human error in cybersecurity.
Conclusion
Arctic Wolf’s 2024 Human Risk Behavior Snapshot is a sobering reminder that technology alone cannot protect organizations from cyber threats. People and their behaviors are at the heart of cybersecurity—and they must be prioritized accordingly. As threat actors continue to evolve their methods, exploiting both technological vulnerabilities and human weaknesses, businesses must double down on fostering a security-conscious culture. By addressing the human side of cybersecurity, organizations can better defend against the growing threat landscape and ensure long-term resilience. In summary, human error in cybersecurity remains one of the most critical challenges for organizations to tackle.
In short, the report makes it clear that cybersecurity is not just a technical problem; it’s a human one. Until that reality is fully embraced, organizations will remain vulnerable to the most preventable breaches.
Other News: World Password Day – The Digital Motto: “Loose Passwords Compromise Accounts”(Opens in a new browser tab).
Other News: Paris-based Stoïk raises €25 million Series B to expand its cyber insurance platform in Europe.