Home

Break the cycle of cybersecurity mistakes

David Weldon David Weldon
October 16, 2025
How to stop seeing the same cybersecurity mistakes over and over.
(Credits: PeopleImages/Shutterstock)

Most organizations place emphasis on training employees how to be aware of potential cybersecurity threats. But no matter how much organizations stress safe security best practices, some employees just keeping making the same mistakes. The resulting damage can be significant.

This scenario begs the question, why do some employees not learn the safe practices lessons, and what can IT teams  do about it?

In some cases, the reason could be due to security fatigue. As employees become overwhelmed by constant security messaging, some employees may tune the message out, potentially reducing overall effectiveness.

Still, the blame for recurring security mistakes lies primarily with organizations, not individual employees, explains John Bruce, CISO at Quorum CyberOpens a new window . He says there are three systemic issues that drive persistent problems with cyber defense:

  • Cultural misalignment: “Organizations that treat security as a compliance checkbox rather than a business enabler create resistance and workarounds. When security policies impede productivity without clear business justification, employees will find ways around them,” Bruce says.
  • Design failures: “Security controls that are difficult to use or poorly integrated into workflows are routinely bypassed. If the secure path is significantly more difficult than the insecure path, humans will naturally choose convenience,” Bruce explains.
  • Inadequate feedback loops: “Most organizations lack mechanisms to provide immediate, constructive feedback when security mistakes occur,” Bruce says. “Without real-time learning opportunities, employees repeat the same errors.”

Individual accountability matters, but systemic change requires addressing these root causes rather than simply blaming users for predictable human behavior, Bruce says.

To err is human…

Ultimately, the top internal information security risks come down to human error, says Ven Auvaa, director of information security at cybersecurity firm Armor PointOpens a new window . This includes such things as falling victim to a phishing email or other social engineering scheme, mistakenly delivering key files or sensitive information to the wrong recipient, using a weak password, or simply misplacing a company laptop or mobile device containing sensitive information.

Compared to a few years ago, employee security awareness is higher but the attack surface is wider and broader.

No one particular person or thing is to blame for this challenge, other than the rapid adoption and development of technology as a whole, Auvaa says. The last few decades have seen an exponential amount of advancements in what technology can do and how fast it can do it. It’s important now, especially as AI accelerates this advancement beyond human capability, that technology developers, practitioners, and users put their focus on maintaining security above advancing capability.

“From an organization perspective, this means that the responsibility for making information security mistakes is shared between both the employer and the employee,” Auvaa says. “Employers must invest the time and resources necessary to ensure that their employees are given the proper tools, time, and motivation to learn. And employees must commit to learning and adapting their behavior in order to apply the lessons appropriately.”

To put it simply, if employers continue to treat security awareness training as a “check-the-box” compliance requirement, employees will continue to treat security awareness training as a “check-the-box” work requirement, Auvaa explains.

Security awareness varies widely

Organizations vary widely in their ability to train employees effectively on information security. Many have formal awareness programs, but frequent lapses indicate that training alone is still not sufficient.

The most effective security awareness training programs maintain regular, engaging content that stays up-to-date with current threats, attack tactics, and real-world examples, while also incorporating testing measures, such as phishing simulations, to measure just how well employees are applying their security awareness training during their day-to-day activities.

Employees often understand policies conceptually but struggle to apply them consistently in day-to-day work, explains Chase Doellinger, principal strategist and director at JumpCloudOpens a new window , which offers a security access platform. Hybrid IT environments, with multiple platforms and applications, further complicate awareness efforts, making ongoing reinforcement and practical, role-specific guidance essential.

Awareness of cybersecurity threats does continue to grow thanks to high-profile cyberattacks, ransomware incidents, and regulatory pressures, Doellinger explains. He says employees today are more familiar with basic practices such as multi-factor authentication and phishing avoidance than they were a few years ago. However, evolving technologies, hybrid work models, and the proliferation of AI-driven tools outpace standard training programs. This leads to uneven awareness across organizations.

Organizations are making gains in security awareness

The good news is that organizations are steadily working towards improvement in cybersecurity training, says Benjamin Luthy, program director of cybersecurity and adjunct professor at Champlain College OnlineOpens a new window . Most large companies now dedicate teams or whole departments to building a strong security culture and delivering ongoing awareness training.

“Not only do I see this in industry, but there is also hard data backing it up,” Luthy explains. “A recent global studyOpens a new window by KnowBe4 found that comprehensive security awareness training programs reduced phishing click-through rates by as much as 86% over a 12-month period.”

That said, the work never ends. Cybersecurity threats evolve quickly, and attackers continue to exploit the human element as a primary entry point. Fortunately, organizations increasingly recognize this as a direct business problem and are making meaningful investments to address it.

“At Champlain College, for example, a significant number of our cybersecurity courses highlight not only the technical aspects of defense, but also the dangers of neglecting employee training, Luthy explains. “Students learn both the risks of inadequate awareness programs and the long-term ramifications for organizations that fail to invest in their people.”

Safety lessons exist, but will the messages stick?

Just about every organization today runs some kind of security training, but making those lessons stick is a challenge. A big reason for this is because employees are faced with unique and risky choices that vary “in the moment,” explains Zbyněk Sopuch, CTO of SafeticaOpens a new window , an intelligent data security solutions provider preventing data leaks and managing insider risks across on-premises and cloud environments. Those include sharing a file with a vendor, pasting text into a web form, or asking an AI tool to summarize a report.

“Because the nature of threats are evolving daily, it’s best to have the obligatory regular trainings, and then pair short, scenario-based refreshers with just-in-time guardrails- clear prompts or policy checks that appear exactly when someone is about to do something risky,” Sopuch explains.

Compared to a few years ago, employee security awareness is higher but the attack surface is wider and broader. Sopuch says gray areas such as hybrid work, SaaS sprawl, and AI tools mean even security-savvy employees have even more opportunities to make a mistake.

“Nowadays we see fewer ‘what is phishing?’ questions and more ‘I knew, but I was rushed’ incidents,” Sopuch says.

Holistic awareness is key. It’s not enough for security awareness programs to simply teach users how to defend themselves and the organization, but they must also teach why users must defend themselves, and what they are defending themselves against.

“Previously we’ve seen awareness training focus on basics like password strength or how to spot a phishing scam, but this simply isn’t enough,” Auvaa explains. “For employees to truly buy-in to the cybersecurity culture, they must also understand why these security practices are important not just for the organization but for their personal lives as well. The expanded attack surface brought on by cloud-computing, remote work, and IoT devices means that the repercussions of a cybersecurity attack go beyond just their employer and extend into the employee’s personal life.”

Reducing internal missteps

So how does a security leader turn the tide on repeated security mistakes? The most effective protection programs integrate a mix of people, process, and technology, Sopuch explains.

“First off, keep training short and tied to real tasks that are in regular play like sharing files, handing data to vendors, and using AI tools. One point to really emphasize to staff is to read consent screens and scopes before authorizing apps,” Sopuch says.

Give employees access only as-needed. If someone needs extra access, allow that temporarily and remove it automatically. Automate joiner-mover-leaver so that when someone is hired, changes roles, or leaves, their accounts and file shares are created, updated, or revoked that same day– with no extras.

Sopuch advises that organizations ‘sort’ their data into three simple buckets: Public, internal, and restricted. They should make those labels enforceable inside everyday tools such as Drive, SharePoint, and Email, so that default sharing and downloads follow the rules.

For security controls, use phishing-resistant MFA like passkeys, and conditional access that only let in trusted devices and locations. Turn on insider-risk and DLP that watches for risky actions, including uploads, copy/paste, cloud sync, printing, and screenshots.

“Be sure to coach users with a prompt instead of silently blocking them to help avoid the human nature step of ‘finding a workaround’,” Sopuch explains.

Security leaders should also monitor their SaaS routinely to find “anyone with the link” shares and close them, auto-expire old access, and revoke risky OAuth apps people connected to Google and Microsoft. Also, lock down browsers by limiting high-risk extensions and opening untrusted sites in an isolated view.

An important step is to monitor and log enough activity to track patterns of what normal data activity looks like, set alerts when something unusual happens like unusually large transfers, odd destinations, or sudden unusual outside business hours.

“Ultimately, the fastest path to smooth security is when policies are visible and understood at the moment of risk. For employees it will become like muscle memory- they will err on the side of safety without slowing down,” Sopuch says.

David Weldon
David Weldon

David is a freelance editor, writer and research analyst from the Boston area. He has worked in a full-time senior editorial capacity at several leading media companies, covering topics related to information technology and business management. As a freelancer, he has contributed to over 100 publications and web sites, writing white papers, research reports, online courses, feature articles, executive profiles and columns. His special areas of concentration are in technology, data management and analytics, management practices, workforce and workplace trends, benefits and compensation, education, and healthcare. Contact him at [email protected]
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.

Recommended Reads

AI cyberattacks: How hackers used AI to automate espionage
Security

AI cyberattacks: How hackers used AI to automate espionage

When disaster recovery plans fail in real disasters
Security

When disaster recovery plans fail in real disasters

How to balance privacy and security with the need for speed
Security

How to balance privacy and security with the need for speed

Quantum computers will crack your encryption. Now what?
Security

Quantum computers will crack your encryption. Now what?

How to tackle AI sprawl
Software

How to tackle AI sprawl

Ready, fire, aim: Corporate AI strategy ignores the risks
Security

Ready, fire, aim: Corporate AI strategy ignores the risks