Starting with individuals in 74% of cases, safeguarding the human aspect stands as the most critical … More
Within the realm of cybersecurity, a commonly held belief is that people are the most vulnerable link. This is a notion I frequently challenge, as it is often used as an implicit justification for the failure of cybersecurity tools or procedures, although there is an element of truth to it.
An essential insight gleaned from Verizon’s 2024 Data Breach Investigations Report is the human factor being a significant issue. Not deliberately, of course—yet through errors, manipulation, or malevolent intent, human actions or lack thereof contributed to 74% of breaches in the previous year. This statistic should serve as an alert for any organization still prioritizing fortifying networks over the individuals who engage with them.
The report highlights what numerous security executives have long suspected: assailants are no longer relentlessly breaching firewalls or exploiting obscure technical vulnerabilities at scale—they are targeting people.
And they are achieving success.
The Increasing Relevance of the Human Element
The data clearly indicates that mistakes, misuse of privileges, social manipulation, and stolen credentials are still the primary causes of breaches.
This is hardly surprising given the contemporary work landscape. Hybrid and remote work setups have expanded digital vulnerabilities, compelling employees to manage multiple communication and collaboration tools. When you add a barrage of sophisticated phishing emails, counterfeit login pages, and cunning pretexting assaults, a recipe for disaster emerges.
MORE FOR YOU
“Technology is designed to assist individuals,” states Scott Crawford, head of information security research at 451 Research, a division of S&P Global Market Intelligence. “However, whenever human interaction occurs, the potential for malevolent manipulation exists.”
This manipulation is occurring on a large scale. Social engineering initiatives, corporate email compromises, and credential theft are on the rise. Cloud service misconfigurations—often stemming from human errors or oversights—are generating unintentional security loopholes. Even well-intentioned staff members can become a company’s most fragile point.
“A two-decade-old Gartner forecast predicted that 75% of breaches would result from human error,” comments Richard Stiennon, principal research analyst at IT-Harvest and author of “Security Yearbook 2025.” “This comes as no surprise. Therefore, the basic methods are frequently exploited the most.”
Andrew Bolster, senior R&D manager at Black Duck, underscores, “The field of cybersecurity has continually been an evolutionary battle, with assailants leveraging cutting-edge technologies to target fresh victims in inventive and intriguing ways, while defenders strive to anticipate and counter these new threats before and as they appear, frequently using these same new technologies.”
Enhancing Security at the Human Level
The mounting evidence leads to a single conclusion: Organizations must fortify security where attackers are concentrating—the human element.
This necessitates moving beyond conventional perimeter defenses and endpoint security. It demands an all-encompassing approach that safeguards email communications, secures collaboration platforms, and enforces robust data loss prevention protocols. In essence, organizations must fortify the “human layer”—the juncture where individuals, technology, and data converge.
Scott Crawford stresses, “The obstacle in minimizing risk lies in achieving this without impeding the benefits of technology. Fortunately, several opportunities exist today. Education and awareness programs can set a groundwork, while advancements in behavioral analytics, authentication and multifactor methods, and zero trust implementations can all aid in reducing vulnerability.”
Hence, fortifying the human layer goes beyond mere education. It encompasses integrating more intelligent defenses into the tools employees utilize daily, identifying risky behavioral patterns, and automating threat response to avert compromise due to human error.
Proofpoint and Microsoft: A Prototype for Human-Centric Security
One instance illustrating how organizations are tackling this challenge emerges from Proofpoint and Microsoft. The duo revealed an extended global strategic alliance focused on reinforcing human-centered cybersecurity.
At the core of this collaboration is Proofpoint’s decision to transition its platform to Microsoft Azure. By harnessing Azure’s robust AI capabilities and dependable cloud infrastructure, Proofpoint aims to enhance its capacity to detect and neutralize threats directed at users. This integration extends deeply into Microsoft 365 and Microsoft Sentinel, enabling security teams to automate threat identification and response, enrich their analytics, and bolster data protection.
“Crafted atop Microsoft Azure, we are furnishing advanced, proactive defense for the most vital layer in the cybersecurity ecosystem—the human layer,” elucidatedDarren Lee is the executive vice president and general manager of Proofpoint’s Threat Protection Group, as mentioned in a press release.
Using Nexus intelligence technologies, Proofpoint blends AI models, behavior analysis, and threat intelligence to proactively identify and eradicate dangers. A key element of the collaboration is Proofpoint’s Targeted Attack Protection, which integrates with Sentinel to offer enhanced data for extended detection and response processes.
The partnership also addresses emerging risks from generative AI tools. While these tools enhance productivity significantly, they introduce fresh concerns regarding data leaks that conventional security measures find challenging to handle. Proofpoint’s platform incorporates DLP characteristics specifically designed to oversee and govern the movement of sensitive data within generative AI environments.
Targeted Assaults Remain a Menace
Even with these advancements, Richard Stiennon warns, “Keep in mind that a targeted assault can bypass any defense mechanism deployed at the human level.”
“Continual evolution is observed in traditional security threats aimed at people. Phishing assaults are growing in complexity, employing highly personalized approaches driven by social engineering and AI-augmented data mining,” asserts James Scobey, CISO at Keeper Security. “Cybercriminals are not just dependent on pilfered credentials but also on social manipulation to breach identity defenses. Deepfakes present a specific concern in this domain, as AI models expedite these attack methods, making them quicker, cost-effective, and more convincing.”
This stark reality underscores that while safeguarding the human layer is crucial, it is not a complete solution. Advanced persistent threats, specifically targeted spear-phishing campaigns, and internal threats will always necessitate multi-layered defenses, sophisticated detection protocols, and swift response capabilities. This is why holistic security strategies should strike a balance between prevention, detection, and resilience.
Human-Focused Security is Now Mandatory
The facts are clear: almost three-quarters of security breaches involve human error to some extent. Neglecting to prioritize the safety of the human layer in cybersecurity strategies leaves the most vulnerable entry point wide open.
As highlighted by Scott Crawford, “As adversaries seek to widen their reach towards possible human targets, the ways in which people interact within processes such as IT service support also offer opportunities for organizations to learn from incidents and leverage emerging approaches to enhance awareness of potential threats.”
The collaboration between Proofpoint and Microsoft exemplifies the shift towards security centered around individuals—a path that many organizations will need to embrace. By merging AI, automation, and seamless integrations with the tools used by employees, they are laying out a blueprint to mitigate human-related risks and enhance overall security readiness.
Considering the evolving tactics of attackers, organizations must adapt accordingly. Strengthening security at the human layer is not merely advisable; it is an essential business mandate.
About Author
