When People Fail: The Hidden Risk Behind Most Cyber Breaches

Written by Dhananja Kariyawasam

Dhananja is an experienced Information Systems Manager at KUWAITNET.


Technology is vital—but people remain the weakest link in cybersecurity. In 2024, 95 % of data breaches involved human error, ranging from misclicks to misconfigurations. 
If human error is driving most breaches, we must shift our approach. We must protect not just systems, but people.


Why human error dominates breaches
 

1. The numbers speak

  • Breachsense reports that a Stanford & Tessian study found 88 % of data breach incidents stem from employee mistakes; IBM studies peg the figure closer to 95 %.

  • According to Mimecast’s State of Human Risk 2025 report, security leaders now see human risk as their top challenge, despite investments in tech.

  • SCWorld notes that human error “surpassed technological flaws” in 2024 as a contributing factor to breaches. 

2. How it happens

Human error in cybersecurity typically involves:

  • Skill-based errors: slips, lapses, or executing routine tasks incorrectly (e.g. mistyping a domain or missing a configuration step). 

  • Decision-based errors: wrong choices under uncertainty, such as trusting a phishing email that looks legitimate, or misjudging a system alert. 

Common real-world examples:
 

  • Misdelivery: A staff member sends sensitive emails to the wrong recipient (e.g. NHS disclosure of HIV patient emails).

  • Password mismanagement: weak, reused, or shared passwords, or writing credentials down.

  • Patching delays: systems left vulnerable because updates were postponed (the WannaCry attack exploited this). 

  • Misconfiguration: open ports, default settings, overly broad access rights.

  • Insider or third-party error: vendors or subcontractors introducing errors.


Why the human factor persists
 

Opportunity + environment + awareness

  • More tools, more endpoints, more complexity—more opportunity for error.

  • High workload, poor process design, ambiguous policies all worsen risk.

  • Many organizations invest heavily in tools but neglect ongoing training and cultural reinforcement.

Technical defenses alone aren’t enough

Even the best firewalls, EDR, or zero-trust models can be bypassed when someone makes a mistake. The smarter path is to engineer in protections around human behaviors.

In critical sectors, stakes are higher

In healthcare, a breach isn’t only reputational—it can affect patient outcomes. A study in U.S. hospitals showed that a data breach correlated with a 0.338-0.446 percentage point increase in 30-day mortality rates for AMI patients in subsequent years. 


Turning people from risk to defense
 

To bridge this gap, defenses must address systems, culture, and awareness together.

Technical controls to reduce opportunity

  • Least privilege & role-based access
    Limit user access to what’s strictly necessary.

  • Multi-Factor Authentication (MFA)
    Add a layer that holds attackers even if credentials leak.

  • Network segmentation
    Restrict lateral movement in case of compromise.

  • Automation & hardening
    Auto-patch, secure defaults, remove unnecessary permissions.

  • Monitoring and anomaly detection
    Spot unusual patterns in user behavior early.

Awareness, culture & process

  • Continuous training
    Don’t treat security as a checkbox; use regular, contextual, role-based learning.

  • Simulated phishing & red-teaming
    Controlled tests help reinforce vigilance.

  • No-blame error reporting
    Encourage staff to report near-misses without fear.

  • Simplify workflows
    Use checklists, confirmation steps, constraints to reduce error traps.


The role KUWAITNET plays
 

KUWAITNET, a regional IT and cybersecurity provider, is strengthening its managed security offerings. Notably, in late 2024, KUWAITNET became an MSP partner with PowerDMARC, enhancing domain and email protection services. 

By combining technical controls, awareness programs, and managed services, KUWAITNET is positioned to help organizations reduce human error risk—not just detect it.

Cybersecurity, Kuwaitnet, MFA, ManagedServices, RBAC, breachprevention, humanerror, insiderthreat, securityculture, training,