Human behaviour remains a pressing issue for IT professionals, with a new report finding poor behaviour and lapses in training are the main cyber security issues for most organisations.

US software company Kaseya’s Cybersecurity Survey Report 2024 found “user-related security issues” were responsible for the bulk of distress reported by IT professionals, with poor user practices and “gullibility” making it into the top three root causes of cyber security problems for 45 per cent of responding organisations.

This figure has tripled from Kaseya’s last findings in 2023 and is expected to continue its climb into 2025 as companies increase their “awareness of social engineering and distraction as major threat vectors”.

“The perception of IT professionals is that users are the root of most cyber security trouble,” wrote Kaseya.

The report further observed concerns over human error rose to 36 per cent this year, while the focus on endpoint threats in servers and laptops nosedived from the year prior at an 8 and 5 per cent drop respectively.

“This year saw a significant rise in respondents identifying user behaviour as their biggest cyber security challenge, with over half citing it as the main issue now and in the future,” said Kaseya.

“This shift suggests IT professionals are more confident in their strategies, placing the blame for security issues on users.”

Attacks led by phishing and blunders

In cyber security, human error generally refers to unintentional or misinformed actions which result in a security breach.

Kaseya, which itself suffered a major ransomware event in 2021, found almost one fifth of survey respondents led with human error as their top security management challenge, followed by budgeting constraints at 16 per cent, IT and security skills at 14 per cent, and building a security culture at 13 per cent.

It also reports an alarming 50 per cent of organisations were impacted by phishing messages in the past 12 months.

Behind this were computer viruses and malware at 29 per cent, and business email compromise – which is effectively a more targeted version of phishing aimed at misleading professionals and attacking organisations – at 28 per cent.

Although the three attack vectors are markedly different, Susie Jones, chief executive of Melbourne-based cyber risk startup Cynch Security, said they share an underlying common thread in human error.

“Phishing is not effective if you don't click on the dodgy link,” said Jones.

“And malware is not effective if you don't go to that dodgy website.

“It all comes back to the behaviour of the human sitting at the computer.”

Notably, 44 per cent of Kaseya respondents identified a lack of end-user cyber security training as a leading cause of cyber security issues in their organisation – with an additional 22 per cent pointing to undertrained administrative staff members.

Jones told Information Age while training is essential, it needs to be engaging and role specific.

“Making people aware of risks and the possible things that could go wrong – that's one thing,” said Jones.

“For many people who are less technically proficient or less used to working with computers, that's absolutely appropriate, but I call that step zero.

“But it's dubious to give someone in finance the same training as you would give to someone in human resources – they’re facing very different kind of risks.”

Jones explained companies should look to cyber security training solutions which explicitly address the requirements of a given role, including technology-based instructions and the precise security risks one might face in their day-to-day workload.

Australia still has a way to go

As Australia faces its highest number of reported data breaches since 2020, the Office of the Australian Information Commissioner (OAIC) observed that individuals “remain a significant threat” to the strength of organisational privacy practices.

Before accounting for social engineering, stolen credentials or systems being mistakenly misconfigured by an employee, the OAIC found explicit human error – such as failing to properly use BCC when sending emails – accounted for 30 per cent of reported data breaches between January and June 2024.

Phishing attacks meanwhile accounted for an additional 12 per cent.

Jones said while Australia has made “vast improvements” to its security and phishing awareness over the past six years, we’re still a “fair way off” from where we need to be.

She pointed to a constant “tug of war” between what is convenient for a worker versus what is actually secure and good practice.

“We often know we could do a task quickly and with less caution in 20 seconds,” said Jones.

“Human error is often the difference between someone who went around the rules instead of taking those three minutes, or whatever it might take, to do their work within the boundaries that have been set.”

Jones further explained the issue of human error can’t be mitigated through technical solutions alone.

“If you don't take into account the fact that humans are going to use your systems, and humans are very good at getting around the rules, then your security tools aren’t going to work the way you expect,” she said.

“You can have the absolute best technical controls in place, you can outline all the best ways to operate in order to minimise the chance of your company falling victim to a cyber attack, but it all comes down to the decisions of somebody sitting at their desk, doing their daily work.”