60% of cyber incidents are caused by human error, and AI complicates the situation even more

 

Atea advertisement

“In recent weeks, Lithuania has been shaken by several large-scale cybersecurity incidents, once again highlighting the consequences of cybersecurity gaps and insufficient data protection. Meanwhile, challenges in the field of cybersecurity are only growing. Rapidly developing artificial intelligence provides new opportunities not only for organizations, but also for cybercriminals - it is becoming easier for them to create convincing fraud schemes and influence people's behavior. In addition, the beginning of the summer vacation period, when employee vigilance is traditionally reduced, may further strengthen the impact of such threats. Ramūnas Sasnauskas, IT solutions architect at Atea, the largest IT solutions and service providers in the Baltic States, claims that humans still remain the most vulnerable link in cybersecurity, and advises organizations on how to reduce the risks posed by human errors.

 

One of the world's largest cybersecurity research reports, the Verizon Data Breach Investigations Report 2025, states that about 60 percent of cyber incidents are related to the human factor in one way or another. This conclusion was obtained after analyzing more than 22 thousand security incidents and 12 thousand confirmed data breaches from 139 countries.

 

The human factor in the context of cybersecurity includes social engineering, weak access control, incorrect system configuration, circumvention of security rules, and incidents that are detected too late. "Even with advanced technological security measures, much depends on how people use them, what decisions they make, and how quickly they react to potential threats," says R. Sasnauskas.

Social engineering threats are amplified by AI

 

When asked which of the human factors poses the greatest risk to organizations today, the Atea expert does not hesitate to name social engineering.

 

“And not necessarily because it is the most common. It is much easier to influence a person than to hack a well-protected information system. Criminals do not need long and complicated processes to find vulnerabilities. It is much easier to send fraudulent letters or messages and hope that the person will reveal their login details,” says R. Sasnauskas.

 

Today, fraudsters use not only traditional so-called “phishing” letters. Such fraud methods as “smishing” (fraudulent SMS messages), “vishing” (telephone fraud) or “quishing” (fraud using QR codes) are also increasingly used. “The latter are especially rapidly gaining popularity, because it is more difficult for email filters to analyze QR codes than regular Internet links. In addition, QR is usually scanned by a phone, which usually has weaker protection than a computer,” warns R. Sasnauskas.

 

Artificial intelligence also provides criminals with additional opportunities. “With the help of AI, the language barrier has essentially disappeared. If previously, phishing emails were often given away by grammatical errors or strange wording, today AI allows you to generate emails or personalized messages written in correct Lithuanian, impersonating a colleague or manager,” the expert says.

 

Artificial intelligence also allows you to create extremely convincing copies of original websites. An even greater danger can be posed by so-called “deepfake” solutions, when the voice or image of a specific person is recreated with the help of artificial intelligence and, for example, an order from a manager to perform certain actions is imitated. According to R. Sasnauskas, such attacks have not yet been heard of in Lithuania, but such cases have already occurred in Europe, the USA and Asia.

 

In principle, AI does not change the main goal of cybercriminals – to influence a person, but it allows you to create increasingly convincing phishing scenarios, which is why it becomes even more important for organizations to strengthen the vigilance of employees and their ability to recognize potential threats.

Security is often sacrificed for convenience

 

However, social engineering is only one piece of the puzzle. Other risks arising from people’s decisions and daily habits are also significant. Organizations still face excessive or improperly managed access, errors in system configuration, late detection of incidents, and employees’ tendency to bypass security rules in order to complete daily tasks more quickly.

 

“When it comes to the tendency to bypass security rules, the main problem is increasingly not a lack of employee knowledge, but the fact that the chosen security tools or processes are inconvenient, so it becomes easier to ignore them than to use them,” says R. Sasnauskas.

 

This is also compounded by the pressure to complete tasks as quickly as possible, as well as a lack of risk perception or psychological aspects, such as the belief that “nothing will happen to me.” Many mistakes are caused by fatigue or inattention.

 

The lack of specialist competence in designing, implementing, configuring, or maintaining security solutions also increases the risk. Therefore, the mere acquisition of technology does not in itself mean security – it is equally important to ensure that they are properly adapted and managed.

How to reduce the risks posed by the human factor?

 

Although it is impossible to completely eliminate human errors, organizations can significantly reduce the risks they cause. R. Sasnauskas recommends starting with a few essential steps.

 

First of all, it is important to conduct a cybersecurity audit, which will help assess the current situation, identify weaknesses and set priorities.

 

Another equally important step: continuous employee education. Employees should be regularly informed about new types of attacks, including social engineering attacks created with the help of AI, safe work principles, security solutions implemented in the organization and actions that need to be taken if an incident is noticed. Education should include not only theoretical training, but also practical incident simulations, for example, simulating phishing attacks. Such exercises allow employees to better recognize threats and prepare for real situations.

 

The Atea expert also recommends that organizations set long-term security goals and strategies, regularly assess weaknesses and strengthen areas where the risk is greatest. Specific technological solutions also help reduce risk, for example, one of the most economical and effective is MFA (“multifactor authenticator”), when even if the login data is lost, it is difficult to use it without additional confirmation. Also, identity and access management systems (IAM), privileged access management solutions (PAM).

 

“General advice: security solutions should be made as simple as possible. It would be worth automating processes where people most often make mistakes. It is also very important to create a culture of responsibility, not fear, and to evaluate not only technologies, but also employee behavior,” the expert emphasizes.

 

R. Sasnauskas identifies the organization’s culture as one of the most important factors determining whether cybersecurity will become a natural part of everyday activities or will remain just a set of formal rules.

 

The role of the leader is more important than it seems

 

According to R. Sasnauskas, the role of the leaders of organizations in creating a cybersecurity culture is extremely important. “Managers must follow the same rules as all employees, use the same security tools and urge the organization to strictly follow the established processes,” the expert asserts.

 

However, the role of leaders is not limited to personal example. Based on good practices and international standards, such as NIST or ISO 27001, specialists responsible for cybersecurity should be directly subordinate to the organization’s management or have the opportunity to discuss cybersecurity issues directly with managers without bureaucratic obstacles. This is important not only when talking about existing risks or incidents that have occurred, but also when planning a security strategy, setting priorities, allocating the necessary resources and making decisions regarding investments in security solutions and measures.

 

According to the Atea representative, managers should also talk openly about security risks and incidents, share experiences and encourage employees to report observed threats or potential incidents as soon as possible without fear of being accused or punished.

 

Cybersecurity should not be perceived as the responsibility of the IT department alone. Security issues must reach the highest level of the organization's management and be assessed together with other operational risks.”