Most Breaches Start With a Human. Most Humans Were Set Up to Fail.

Thought Leadership Human Risk

May 2026  ·  8 min read

68% of all data breaches involve the human element. But when you look at what those humans were actually given to work with — no password manager, no number matching on MFA, credentials already for sale that nobody told them about — the question isn't why employees make mistakes. It's why businesses are surprised when they do.

---

Marcus works in accounting at a 40-person professional services firm. He's been there for six years. He's conscientious, detail-oriented, and genuinely cares about his job. He has never intentionally done anything to compromise his employer's security.

Last Tuesday at 4:47pm, with two pending deadlines and a client call in 13 minutes, he received an email that appeared to come from his CEO asking him to review an attached invoice before end of day. The email was well-written, used the CEO's real name, referenced an actual client relationship, and had a professional signature. He clicked the attachment. It took six seconds.

His credentials were harvested within the minute. By the time he finished the client call, an attacker had authenticated into his email account, set up a forwarding rule, and begun reading three months of correspondence. Marcus went home at 6pm with no idea any of this had happened.

He is not the story. The system that left him alone against that email is the story.

68% of all data breaches involve the human element — phishing, credential misuse, or error Verizon DBIR 2025

45% of employees who clicked phishing links were distracted at the time — not careless, distracted Verizon DBIR 2025 / Station X

86% reduction in phishing click rates from behavioral training vs quarterly compliance tick-boxes Hoxhunt 2026 / Total Assure

"Human risk is the #1 cybersecurity challenge. Despite continued investment in technology stacks, breaches continue unabated — mostly due to human error. Only 28% of organizations combine both regular security awareness training and continuous monitoring." — Mimecast State of Human Risk 2026, based on 2,500 IT security leaders across nine countries.

Meet the five employees who didn't mean to burn it down

These are not malicious insiders. They are the 62% of insider incidents attributed to negligent or compromised users — employees who were given inadequate tools, inadequate training, and inadequate visibility into their own exposure, and were then blamed when the system failed them.

M

Marcus — Accounts Payable

6 years at the company · Never missed a deadline

Phishing click

Marcus clicked a phishing link at 4:47pm with two deadlines pending. The email had no grammatical errors — because 82.6% of phishing emails in 2026 contain AI-generated content, up from 21% in 2023. AI-generated phishing emails have a 14% higher click-through rate than human-crafted ones. Marcus wasn't fighting a scam email. He was fighting a machine that studied his company before it attacked it.

What Marcus was given to work with A quarterly security awareness training slide deck. A password policy document. No phishing simulation. No behavioral training. No way to know his credentials had appeared in a breach database three months earlier.

The system failure — not Marcus Organizations with behavioral training see a 6x improvement in phishing recognition in 6 months. Marcus got a slide deck. The outcome was predictable.

S

Sarah — Office Manager

Handles vendor relationships, onboarding, and office operations

Password reuse

Sarah uses a variation of the same password across 85 accounts. She knows she's not supposed to. She was never given a password manager. 51% of employees admit to reusing passwords across work and personal accounts — not because they don't know better, but because managing 85 unique complex passwords without a tool is cognitively impossible.

What Sarah was given to work with A password policy that says "use a unique strong password for every system." No password manager. No credential monitoring. No notification when her personal email appeared in a breach database.

The system failure — not Sarah When 94% of leaked passwords are reused, that's not a compliance problem — it's a tooling problem. The policy exists. The tool doesn't.

D

David — Remote Sales Manager

Works from home 4 days a week · Manages 12 client relationships

MFA approval under fatigue

At 11:45pm on a Sunday, David's phone started buzzing with MFA push notifications. After the eighth, exhausted, he approved one. 51% of employees admit to making security mistakes when tired. The attacker had been push-bombing his account for 40 minutes. David didn't fail his company. His company deployed push notifications without number matching and never trained him on MFA fatigue attacks.

What David was given to work with Push-notification MFA with no number matching. No training on push bombing. No way to distinguish a legitimate notification from an attacker's automated loop.

The system failure — not David Number matching — a single configuration change — breaks the attacker's automation loop entirely. CISA recommends it as the minimum standard. David's company hadn't turned it on.

J

Jennifer — Marketing Coordinator

Manages client communications · 40+ emails per day

Misdirected email

Jennifer emailed a client contract to the wrong recipient — autocomplete suggested a name starting with the same three letters. 43% of human error breaches involve employees sending information to the wrong recipient. Misdelivery accounts for 72% of all internal action types in Verizon's 2025 DBIR. The contract contained client PII that triggered mandatory breach notification requirements.

What Jennifer was given to work with An email platform with aggressive autocomplete and no send delay or external recipient warning. No data classification flagging the attachment as sensitive before sending.

The system failure — not Jennifer A 30-second send delay and external recipient warning catches the majority of misdirected emails before they leave. The setting exists in most email platforms. Nobody turned it on.

R

Ryan — IT Support

Manages system access, onboarding, and vendor accounts

Misconfigured access

Ryan granted a vendor temporary admin access for a software integration and forgot to revoke it. Eight months later, that account — idle, unmonitored, with admin privileges — was compromised in an unrelated breach and used as a network entry point. Ryan was one person managing hundreds of access decisions with no automated offboarding workflow.

What Ryan was given to work with A manual access management process. No automated access expiry. No stale account alerts. No regular access audit that would have flagged the vendor account.

The system failure — not Ryan Automated access expiry and quarterly access reviews catch what human memory misses. Ryan couldn't revoke what he'd forgotten. A system would have caught it automatically.

Only 16% of insider incidents involved malicious intent, according to the 2025 Ponemon Insider Threat Report. The other 84% were negligent or compromised employees — people who made predictable human mistakes in systems designed without them in mind. Blaming the employee is both factually wrong and strategically useless. It doesn't close the gap. It just decides who to blame after the breach.

The awareness-action gap — why training alone isn't enough

Here is the Mimecast finding every SMB owner needs to read: 96% of organizations acknowledge their protection is incomplete. They know. And yet only 28% combine both regular security awareness training and continuous monitoring. The gap between knowing the risk and closing it is where most businesses live permanently.

Traditional security awareness training — the quarterly online module, the annual phishing reminder — produces awareness without behavior change. Employees can recite the rules and still click the link, because reciting rules and making real-time decisions under deadline pressure are completely different cognitive tasks. Organizations that reduce phishing click rates by 86% aren't the ones with the most training hours. They're the ones whose training is designed for behavior change — realistic simulations, immediate feedback, repeated continuously rather than quarterly.

But training alone still isn't enough. Marcus can be the most phishing-aware employee in the company and still be compromised if his credentials are already for sale, his MFA doesn't use number matching, and nobody is monitoring the external signals that precede the attack. The human is one layer of the defense. The system around them is the other four.

The six things that actually protect your employees — and your business

🔍 Know which employees are already exposed

Continuous monitoring of your domain against breach databases tells you whose credentials have been compromised before an attacker uses them. Marcus's breach started three months before he clicked the link. That window is where Spottr operates.

🔑 Give Sarah the tool, not just the policy

A business password manager makes unique complex passwords the path of least resistance. The policy that says "don't reuse" without the tool that makes compliance possible is a policy designed to fail.

🔐 Enable number matching before David goes to sleep

One configuration change in your identity provider breaks push bombing entirely. It costs nothing to enable and closes one of the most documented MFA bypass routes in use today.

⏱️ Add a send delay for Jennifer

A 30-second delay on external emails and an external recipient warning catches the majority of misdirected emails before they leave. Most email platforms support this natively.

🚪 Automate what Ryan can't remember

Automated access expiry, quarterly access reviews, and stale account alerts turn manual memory into a systematic control. Access that expires automatically can't be forgotten.

🎯 Replace compliance training with behavior training

The 86% reduction in phishing clicks doesn't come from more slides. It comes from realistic simulations with immediate feedback, repeated continuously. The goal is employees who make safer decisions in the moment — not employees who know the rules.

The businesses that close the human risk gap aren't the ones who train their employees harder. They're the ones who built systems that make the safe choice the easy choice — password managers that eliminate reuse, MFA configurations that block fatigue attacks, monitoring that surfaces credential exposure before it's exploited, and access controls that don't rely on memory. Marcus, Sarah, David, Jennifer, and Ryan aren't the problem. They're evidence of the problem. The solution is the system around them.

The question every SMB owner should be able to answer

If one of your employees clicked a phishing link right now — which one is most likely to? What systems could an attacker reach through their account? Are their credentials already in a breach database? Does their MFA use number matching? When did they last receive realistic phishing simulation training?

Most SMB owners can't answer any of these questions confidently. Not because they don't care. Because they've never had visibility into the human risk layer of their business — the credential exposure, the access gaps, the configuration weaknesses that turn a distracted Tuesday afternoon into a 292-day breach.

68% of breaches involve a human. Most of those humans were set up to fail. The businesses that change that outcome aren't the ones that find better employees. They're the ones that build better systems around the employees they already have.

📚 Credential Security Series — Read the full series

Part 1 → Your Password Policy Isn't Protecting You. Your Employees' Habits Are. Part 2 → Your Credentials Are Already For Sale. Here's How to Find Out in 60 Seconds. Part 3 → You Turned MFA On. Attackers Already Have Three Ways Around It. Part 4 → What Attackers Do With Your Data in the First 60 Minutes Part 5 → The 30-Minute Security Audit Every SMB Owner Should Do This Week Part 6 → The First 24 Hours After You Discover a Breach

See the human risk gaps in your business before an attacker does. Veriti Spottr's beta is free.

Join the free beta →

VS

Veriti Spottr Team AI-powered cyber risk clarity for SMBs  ·  veritispottr.com