In today’s world, companies are investing heavily in advanced cybersecurity tools, AI-driven monitoring, automated SOCs, zero-trust frameworks and more. Yet, in many major cyber incidents, one detail keeps repeating: a human being made a mistake. Sometimes it’s a rushed click on a link, a quick approval given under pressure, or a moment where someone ignored a warning. Even the strongest technical systems can fall apart because of one small human error.

According to McKinsey, organizations spent approximately $200 billion on cybersecurity products and services in 2024, underscoring heavy investment in tech defences. This is why many CISOs say the biggest weakness in cybersecurity is not outdated software, but human behaviour.

“Human behaviour changes constantly and is influenced by emotions,” explains Devinder Singh, Head IT Infrastructure and SecOps at PolicyBazaar. “Stress, deadlines, pressure, fatigue, and distractions—these are openings that technology cannot fully close. When employees are tired or overwhelmed, they’re more likely to click suspicious links, approve risky requests, or ignore warnings.”

Because people behave differently depending on how they feel, attackers have learned to use psychology as their strongest weapon. And with the rise of AI, the way they do this has changed dramatically.

AI has taken social engineering to the next level

Earlier, phishing emails were full of spelling mistakes and easy to spot. Today, attackers use AI to create extremely believable messages. These emails can copy the tone of a senior leader, refer to real projects, or even include deepfake voice and video that makes them look trustworthy.

“AI now allows attackers to craft messages that sound authentic, mimic leadership tone, reference real projects, and appear completely legitimate,” Singh says. “With deepfake voice and video, attackers can impersonate executives or colleagues with unsettling accuracy.”

This means attackers no longer need to break into systems. Instead, they try to convince employees to open the door for them. They tap into natural human reactions — trust, urgency, curiosity, and fear. When people are stressed or distracted, they are more likely to respond quickly without thinking twice.

In this new environment, the real attack surface is not only the technology being used — it is the people using it.

Employees are the new perimeter

Every organisation must now accept that its security depends heavily on the awareness and behaviour of its employees. Firewalls and threat detectors can only do so much if someone unknowingly lets an attacker in. Even as security budgets rise, the PwC Digital Trust Insights 2024 report notes that many organisations continue to face uneven progress — highlighting a clear gap between investment and real preparedness.

According to Ramanand Jha, Managing Director at Komorebi Global Consultancy, building a strong security culture starts with leadership. “The most effective approaches to build a culture of cyber security awareness within an organization are leadership commitment, organisational culture, appreciation and recognition to the best performing employees,” he says.

When employees feel valued and recognised for good security practices, they become more alert and responsible. Jha also stresses that training cannot be a long annual session that people forget. It must be simple, regular, and measurable.

Jha highlights the key elements that actually work:

• A user-friendly training platform accessible on any device
• Gamified learning to make training fun and competitive
• Micro-learning sessions of 3–5 minutes every week
• Real-time tracking of employee performance
• Clear visibility of each person’s security maturity and behaviour

This approach turns security training into a habit, not a formality. Over time, employees become more confident and aware, reducing the chances of risky behaviour.

Can technology ever fully replace human judgement?

With rapid advances in AI and automation, there is a natural question: can technology ever fully solve the human-risk problem?

Jha believes the answer is no. “People will always be the primary catalyst for success in any organization,” he says. “Technology will support them—enhancing productivity, efficiency, decision-making—but it won’t replace the human factor.”

This means the goal isn’t to remove humans from critical decisions, but to support them with tools that reduce pressure and help them make better choices. Technology can automate routine tasks, reduce manual work, and alert employees when something looks suspicious. But emotional intelligence, judgement, and context are still human strengths.

Cybersecurity, therefore, becomes a partnership between humans and machines — each balancing the other’s weaknesses.

Strengthening the human firewall

If people will always remain part of the risk, the best solution is to make them a stronger line of defence. This requires:

• A workplace culture where employees feel safe to question suspicious requests
• Regular, short, engaging training sessions
• Leadership that sets the tone for good security behaviour
• Tools and rules that make verification easy
• Encouraging employees to pause, think, and validate before acting

As Singh says, “Cybersecurity becomes truly effective only when both systems and people are working together.”

The human factor may always be the one threat CISOs cannot fully patch. But with the right awareness, culture, and support, people can shift from being the weakest link to becoming the strongest shield.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!