For a long time, cybersecurity has focused attention on user weakness. Today, in the face of increasingly sophisticated attacks, the real opportunity lies in turning that perceived vulnerability into a strategic strength.
In the field of cybersecurity, it has been repeated almost like a mantra that ‘the user is the weakest link in the chain’, and I admit my guilt, because I am the first to repeat it constantly.
Fraudulent emails (phishing), calls where too much information is given to strangers, weak passwords, or clicks that catch us off guard in text messages (smishing) have traditionally been the gateway to most personal and corporate security incidents.
Furthermore, with the rise of generative AI, we also have to deal with fraud through audio, video or fake images (deepfake), and this is only just beginning.
It is clear that we must change this view of user weakness. In a context where attacks are increasingly sophisticated and automated, the user can and must become the first line of defence.
From ‘human error’ to ‘human behaviour’
Talking about the user as ‘the weak link’ implies assuming that failure is inevitable. This way of looking at it is limited and, in many cases, leads us to believe that little can be done to solve it.
Today we know that:
- Most users do not act with malicious intent, but make mistakes due to a lack of awareness and knowledge.
- Attacks are carefully designed using common human behaviours. Trusting a brand they use, asking them to do something important urgently, or introducing the fear of losing money or a service into the iteration.
Therefore, we should start focusing on the fact that eliminating human error can be complicated and take action: managing human behaviour so that it becomes another piece in the cybersecurity ecosystem.
Two very different areas: personal life and the corporate environment
In the personal and private sphere, users are a priority target for cybercriminals, as they tend to have less protection and very lax security habits. In this context, it is essential that people adopt basic practices such as using unique and robust passwords (and not writing them down on paper, such as the PIN for cards in their wallet), activating multi-factor authentication, regularly updating devices and applications, and taking a critical approach to unexpected messages, links or calls.
Digital fraud, identity theft, and personal account hijacking can have serious financial and emotional consequences, which is why awareness of cybersecurity should be part of everyday digital life, just as protecting personal information or privacy on social media is.
In this area, it is key to understand that when there is a lot of pressure or proactivity from what the user may consider a legitimate contact, we should be wary. That call from your gas company, that email about your hotel reservation, etc., where you are asked to interact, enter data, approve processes… be careful! Always stay calm and verify with the relevant company that what they are asking for is correct, using official channels and sources.
In the corporate environment, organisations have invested heavily in more secure networks (firewalls, EDR, SIEM, advanced detection and protection systems, etc.). Even so, annual incident reports continue to show a consistent pattern:
the human factor is present in a very high percentage of successful attacks.
Fraudulent emails, identity theft, social engineering, and configuration errors resulting from ignorance continue to be common vectors. This demonstrates an uncomfortable reality:
Technology alone cannot protect an organisation if people are not an active part of the cybersecurity strategy.
A user who identifies a suspicious email, hesitates when faced with an unusual request, or reports strange behaviour on their computer is acting as an early detection mechanism, often much faster than automatic systems. Employees must be trained and aware sensors who detect signals that technology may overlook.
This approach is particularly relevant in the face of:
- Targeted phishing attacks (spear phishing).
- Compromise of internal accounts.
- Business email compromise (BEC) fraud.
- Attacks using legitimate channels.
The responsibility for this type of awareness lies with the corporate teams that manage corporate cybersecurity, and one of the most common mistakes is to reduce awareness to a mandatory course once a year. This approach does not generate real behavioural change.
Effective awareness must be:
- Continuous, not one-off.
- Contextual, tailored to the user’s role.
- Practical, based on real examples.
- Measurable, with clear indicators.
Phishing simulations, brief reminders and positive feedback work much better than purely theoretical approaches.
The role of communication
If cybersecurity is perceived as an issue that is not exclusive to systems and applications (corporate or personal) and the importance of being alert, informed and aware begins to be communicated, users will start to feel responsible.
It is well known that good communication practices are essential. Clear messages in the media or received directly from the companies we deal with (banks, telephone, gas and electricity companies, etc.) about the importance of security, using non-technical language, recreating examples of how we can be defrauded and recognising the user as an active part of their protection, work very well.
So are we still the weak link?
The evolution of cybersecurity points towards a people-centric security model, where technology, processes and people work in an integrated manner.
Users are so important in the cybersecurity ecosystem that they should start to be seen as the first line of defence. With the right training, a strong culture and awareness in their personal lives, and the support of the organisation in corporate environments, people become empowered users in cybersecurity and one of the most valuable assets against digital threats.
In an environment where attacks are constantly evolving, investing in users’ awareness and ability to detect an attack is investing in real security.
