Technical security measures address less than half of all risk to data security.

Many SMEs think of cybersecurity as an IT issue.  Some have even said to me that they have confidence that they are protected by their IT providers and systems.  This view tends to miss a couple of key points:

1. Their IT people are usually marking their own homework when it comes to security

2. Technical security controls* are critically important but address less than half of all risk to data security 

* E.g. intrusion detection systems, data loss prevention systems, email filtering and quarantining, MFA)

Various industry reports cite human fallibility and error as the cause of between 75% and 95% of all cybersecurity breaches.  CrowdStrike, one of the world’s best known cybersecurity companies, said in their latest threat hunting report (Aug 2025) that 81% of all hands-on-keyboard intrusions in the last 12 months were malware free.  It says “Adversaries no longer need malware — they hide in plain sight using stolen credentials and legitimate tools”.

Why is this?  CrowdStrike refers to this trend as a move away from automated, malware-reliant attacks towards manual criminal activity that exploits human fallibility, human error, misjudgement and negligence. In practice, most cybersecurity incidents can be traced to human error, not vulnerabilities in technology. 

Think of cybersecurity as analogous to physical building security.  Most criminal intruders gain access not by picking locks or smashing windows, but by finding an unlocked door, or tricking someone into letting them in.

The best locks in the world won't stop criminals from tricking and scamming their way in.

Not convinced?  Check out this article for some sobering statistics from a 2024 employee risk survey of 14,000 employees across UK, USA, France, Germany and Australia.

• More than 60% of employees admit to bypassing cybersecurity policies to make their lives easier.

• 36% of respondents re-use the same passwords in the workplace that they use in their personal lives.

• 35% use external personal storage services to store and share workplace-related information with external parties.

• 30% share workplace-related passwords and credential logins with co-workers.

• 34% lost a personal device and 25% lost a work device.

• 40% habitually download customer data.

• 42% have been bombarded with so many authentication requests (including multi-factor authentication confirmations) in a short space of time that they just click “accept”.

• 36% admit to not immediately installing security patches or software updates on their devices

Summary 

Many people consider cybersecurity as an IT issue, and yet technical security measures address way less than half of all cybersecurity risk.  Most breaches come from criminals that exploit human vulnerabilities to scam and trick their way into your IT systems, staff falling for it, not realising the implications of their actions, mistakes, policy and process gaps.

Adopt world’s best practice, tailored to the resources of your enterprise 

Today, with this in mind, all large companies and government agencies employ Chief Information Security Officers (CISOs) that are responsible for protecting the organisation’s sensitive information, data and IT operations.  Unlike IT people, they take a holistic approach across technology, governance and staff practices.  They are usually independent from IT, a recognition that cybersecurity is not just an IT consideration, and to ensure IT is not marking its own homework.

If your organisation is not large enough to justify a full-time CISO then Holistic Cyber Australia provides a slice of this big end of town, tailored to the smaller end, i.e. working as your "virtual CISO" part-time and/or on-demand.  Fortunately, the "80/20 rule" (a.k.a. the ““Pareto Principle”) applies to cybersecurity.  I.e. as a general rule of thumb, 20% of all the possible measures you could put in place will return 80% of the security benefits.  That’s great news for SMEs!

#cybersecurity #cyber #breach #SME