CISOs’ New Challenge: Mastering Human Behavior
▼ Summary
– Social engineering attacks are increasingly common, with 41% of organizations reporting more cyberattacks than a year ago, and AI is making these tactics more convincing and scalable.
– Organizations face significant cultural and leadership gaps, with only 43% having an effective cybersecurity culture and half reporting that leadership does not prioritize cyber resilience.
– Training and workforce education are weak, as only 20% of organizations have implemented social engineering training strategies, and it remains a low priority for investment compared to technical measures.
– Many organizations feel unprepared for newer attack methods like deepfakes and AI-powered attacks, with only 32% and 29% reporting readiness respectively, despite expecting to face them.
– The report recommends increasing leadership engagement, expanding role-specific training, preparing for both old and new threats, and utilizing external expertise to improve cyber resilience.
Modern cybersecurity faces a shifting battleground where human behavior often becomes the weakest link. Attackers increasingly bypass complex technical defenses by exploiting psychological vulnerabilities, using deception rather than code to gain access. With artificial intelligence amplifying these tactics, distinguishing genuine communications from malicious ones has grown more difficult for employees worldwide.
Recent research highlights a troubling global trend: 41% of organizations report increased cyberattacks compared to last year, with rates climbing to 49% across the Asia-Pacific region. A significant 59% of respondents admit their staff struggles to identify fraudulent messages, a figure that rises to 66% in Latin America. This confusion stems partly from AI-driven social engineering, which generates highly personalized and convincing scams at an unprecedented scale.
Behind these challenges lies a critical shortfall in organizational culture and leadership. Only 43% of companies describe their cybersecurity culture as effective, dipping to just 36% in Latin America. Governance structures also show weakness, with 45% of organizations acknowledging that their governance teams lack a solid understanding of cyber resilience. In Europe and Latin America, that figure approaches 50%.
Leadership engagement remains insufficient. Half of all organizations indicate that their executives do not prioritize cyber resilience, while just one in four cybersecurity teams are considered highly effective at collaborating with other business units. This disconnect hampers organization-wide readiness and leaves gaps in defense.
Training initiatives represent another area of concern. A mere 20% of organizations have implemented specific strategies to educate employees about social engineering risks. Looking forward, only 26% plan to focus on training in the next year, while larger investments flow toward technical solutions (41%) or leadership engagement programs (37%).
Theresa Lanowitz, Chief Evangelist at LevelBlue, emphasizes that building a culture of cyber resilience is essential to counter increasingly sophisticated attacks. Since these threats target human psychology, she notes, adequate investment in education, training, and expert consultation is non-negotiable.
Preparedness levels vary significantly across threat types. While more than half of organizations feel ready for conventional attacks like business email compromise or data theft, far fewer are equipped for emerging dangers. Only 32% report preparedness for deepfake attacks, and just 29% feel ready for AI-powered threats, even though 44% anticipate facing deepfake incidents within the next year.
Investment patterns reveal a mixed approach. While 33% of organizations are channeling significant resources into resilience processes and 31% into generative AI for defense, only 13% are making major commitments to zero trust architecture. External support remains underutilized, with 37% having engaged cybersecurity consultants and only 32% bringing in training specialists. These numbers are expected to see only modest growth over the next two years.
To address these vulnerabilities, the report concludes with four key recommendations: strengthen executive involvement, develop role-specific training programs, prepare for both existing and novel social engineering techniques, and seek external expertise where internal capabilities fall short.
(Source: HelpNet Security)
