.svg)
Key Takeaways
- Social engineering is the dominant method of cyber-attacks. Human behavior is the most fallible part of any cyber security strategy.
- Awareness isn’t enough. It takes continual practice to create good habits that lead to improvements in recognizing and responding to threats.
- Building a security-first culture takes more than annual training. Your employees become your best line of defense with the right support.
Transcript
A text message that looks legitimate. A request that feels urgent. A voice that sounds familiar. In today’s threat landscape, cyberattacks rarely begin with a system breach. They begin with a person.
Increasingly, attackers are bypassing traditional defenses and going straight to the most accessible and most critical layer of any organization: its people.
The cyber perimeter is no longer defined by firewalls or networks, but by human behavior, says Robert Jager, VP, Deputy CI. Today, 98% of cyber attacks involve some degree of social engineering. But not all cybersecurity protocols have kept up.
The shift from systems to people
Cybercriminals have evolved their approach. Rather than attempting to break through hardened technical defenses, many now rely on social engineering, manipulating individuals into granting access, sharing credentials, or taking unintended action.
This shift is accelerating with the use of AI. A recent Gartner survey found that 62% of organizations experienced a deepfake attack involving social engineering. Threat actors can now create highly convincing phishing messages, impersonate executives, and adapt tactics in real time. What looked suspicious yesterday may look entirely legitimate today.
The implication is clear. Even the most advanced security stack cannot fully protect an organization if its workforce is not prepared to recognize and respond to these threats.
Then vs now: How cyberattacks have evolved
Key takeaway: The attack surface has shifted from systems to people.
Awareness alone isn't enough
Most organizations have some form of security awareness training. But annual, compliance-driven training modules are no longer sufficient.
Effective programs today share a few defining characteristics. According to Emi Kustal, Director, IT Risk & Compliance at ABM, they are:
- Continuous, not episodic
- Real-world, not theoretical
- Actionable, not abstract
- Measured, not assumed
The goal is not just awareness, but readiness. Employees should feel confident identifying risks and taking appropriate action in the moment.
Building a security-first culture
Culture, more than technology, is the best defense against social engineering attacks.
Organizations that demonstrate stronger resilience tend to have one thing in common: employees who actively engage with security as part of their day-to-day responsibilities.
That shows up in simple but meaningful ways:
- Asking questions before taking action
- Verifying unusual requests through secondary channels
- Reporting suspicious activity early
These behaviors create a distributed defense model where risk is identified and mitigated before it escalates.
Making these behaviors habitual requires treating employees as active partners. Security incidents become more common when teams are under stress, time pressure, or face uncertainty. Building resilience requires creating a culture of support, rather than blame; this includes establishing clear security protocols and straightforward security policies.
There are 3 practical steps organizations can take to remove friction and lower the risk of social engineering.
- Simplify security tasks. For instance, use password managers rather than forcing employees to come up with new passwords every 90 days. Make every security task as lean as possible.
- Send regular reminders. Pop-ups that remind users to update their software are simple behavioral nudges that keep security top-of-mind.
- Embed security in workflows. Find ways to add security controls during daily processes that are natural rather than disruptive.
A security-first culture is not built through enforcement alone. It is built through trust, accessibility, and shared accountability.
Why this matters now
The expansion of digital ecosystems across devices, vendors, and environments means there are more entry points than ever before. At the same time, attackers are becoming more precise in targeting human vulnerabilities.
This convergence makes the frontline workforce not just a potential risk surface, but a critical control point.
Organizations that invest in their people through training, communication, and culture are better positioned to:
- Detect threats earlier
- Reduce the likelihood of successful attacks
- Maintain operational continuity
Final perspective
Cybersecurity is no longer confined to IT. It is an operational discipline that touches every role, every interaction, and every decision.
The organizations that navigate this shift most effectively will not be those with the most tools. They will be those with the most engaged and informed workforces.
Because today, the strongest perimeter is not built around your organization. It is built within it.
