Written by Dhananja Kariyawasam
Dhananja is an experienced Information Systems Manager at KUWAITNET.
Technology is vital—but people remain the weakest link in cybersecurity. In 2024, 95 % of data breaches involved human error, ranging from misclicks to misconfigurations.
If human error is driving most breaches, we must shift our approach. We must protect not just systems, but people.
Breachsense reports that a Stanford & Tessian study found 88 % of data breach incidents stem from employee mistakes; IBM studies peg the figure closer to 95 %.
According to Mimecast’s State of Human Risk 2025 report, security leaders now see human risk as their top challenge, despite investments in tech.
SCWorld notes that human error “surpassed technological flaws” in 2024 as a contributing factor to breaches.
Human error in cybersecurity typically involves:
Skill-based errors: slips, lapses, or executing routine tasks incorrectly (e.g. mistyping a domain or missing a configuration step).
Decision-based errors: wrong choices under uncertainty, such as trusting a phishing email that looks legitimate, or misjudging a system alert.
Misdelivery: A staff member sends sensitive emails to the wrong recipient (e.g. NHS disclosure of HIV patient emails).
Password mismanagement: weak, reused, or shared passwords, or writing credentials down.
Patching delays: systems left vulnerable because updates were postponed (the WannaCry attack exploited this).
Misconfiguration: open ports, default settings, overly broad access rights.
Insider or third-party error: vendors or subcontractors introducing errors.
More tools, more endpoints, more complexity—more opportunity for error.
High workload, poor process design, ambiguous policies all worsen risk.
Many organizations invest heavily in tools but neglect ongoing training and cultural reinforcement.
Even the best firewalls, EDR, or zero-trust models can be bypassed when someone makes a mistake. The smarter path is to engineer in protections around human behaviors.
In healthcare, a breach isn’t only reputational—it can affect patient outcomes. A study in U.S. hospitals showed that a data breach correlated with a 0.338-0.446 percentage point increase in 30-day mortality rates for AMI patients in subsequent years.
To bridge this gap, defenses must address systems, culture, and awareness together.
Least privilege & role-based access
Limit user access to what’s strictly necessary.
Multi-Factor Authentication (MFA)
Add a layer that holds attackers even if credentials leak.
Network segmentation
Restrict lateral movement in case of compromise.
Automation & hardening
Auto-patch, secure defaults, remove unnecessary permissions.
Monitoring and anomaly detection
Spot unusual patterns in user behavior early.
Continuous training
Don’t treat security as a checkbox; use regular, contextual, role-based learning.
Simulated phishing & red-teaming
Controlled tests help reinforce vigilance.
No-blame error reporting
Encourage staff to report near-misses without fear.
Simplify workflows
Use checklists, confirmation steps, constraints to reduce error traps.
KUWAITNET, a regional IT and cybersecurity provider, is strengthening its managed security offerings. Notably, in late 2024, KUWAITNET became an MSP partner with PowerDMARC, enhancing domain and email protection services.
By combining technical controls, awareness programs, and managed services, KUWAITNET is positioned to help organizations reduce human error risk—not just detect it.
Cybersecurity, Kuwaitnet, MFA, ManagedServices, RBAC, breachprevention, humanerror, insiderthreat, securityculture, training,