You can spend six figures on firewalls, endpoint protection, and round-the-clock monitoring and still get breached because one employee granted access to someone they believed was IT support. That is not a hypothetical. It is the most common way Canadian mid-market businesses get compromised, and in most cases the security tools were working exactly as designed when it happened.
This post covers why human error is still the leading cause of cyber incidents, the social engineering threats your organization faces today, and the practical steps that actually lower the risk.
Human error remains the biggest cybersecurity risk because attackers have shifted their focus from breaking technology to manipulating people, and people are far easier to fool than modern security tools are to defeat. Social engineering, from phishing emails to fake IT-support requests for remote access, along with weak or reused passwords, bypasses technical controls by targeting the person holding the keys. The organizations that stay secure treat their staff as part of the defence, pairing layered technology with continuous training so a single mistake does not turn into a breach.
Human Error (in Cybersecurity)
In cybersecurity, human error is any unintentional action, or failure to act, by a user that gives an attacker an opening: granting remote access to an impostor, clicking a malicious link, reusing a password, or sending sensitive data to the wrong recipient. It is distinct from malicious insider activity because there is no intent to cause harm, which is exactly why it is so hard to defend against with technology alone.
Why do attackers target people instead of systems?
Because it works, and it is cheaper. A modern security platform that is patched and configured correctly is genuinely hard to break. A distracted employee at 4:45 on a Friday is not. Rather than spend weeks hunting for a software vulnerability, attackers reach people directly by email, phone, chat, or a remote-support tool, ask them to approve a request or grant access, and let normal human behaviour do the rest.
68%
of data breaches involved a human element such as error, misuse, or social engineering (Verizon 2024 Data Breach Investigations Report)
We see this pattern directly. When we run a baseline social engineering test for a new GTA client before any training, the number of staff who engage with a convincing request commonly lands between 20 and 30 percent. These are not careless people. They are busy staff who have never been shown what a modern attack actually looks like, and that gap is what attackers monetize. According to the Verizon 2024 Data Breach Investigations Report, the human element is a factor in roughly two-thirds of all breaches, a figure that has barely moved despite years of improving security technology.
What are the most common social engineering threats?
Social engineering is the common thread behind most human-driven incidents, whether it arrives as a phishing email, a fake IT-support request, or a phone call. It works by getting a legitimate user to act on the attacker’s behalf, which is why it slips past tools built to stop malicious code. Weak passwords then compound the problem by turning one successful trick into access across multiple systems.
Social Engineering
Social engineering is any attack that manipulates a person into granting access, revealing information, or taking an action that helps the attacker, rather than exploiting a technical flaw. It spans phishing emails, fraudulent phone calls, text messages, and impersonation over chat or remote-support tools. Because it targets human trust instead of software, it routinely bypasses technical defences.
| Threat | How it exploits people | First line of defence |
|---|---|---|
| Phishing | Fake emails, websites, and messages that impersonate trusted brands or colleagues to steal credentials or deliver malware | User training plus email filtering and MFA |
| IT-support impersonation | Attackers pose as internal IT or a trusted vendor over chat or remote-support tools and request access to a workstation | Verify every unexpected access request through a known channel |
| Weak passwords | Reused, predictable, or shared passwords let one leaked credential unlock multiple accounts | A password manager, enforced complexity, and MFA |
A single successful trick often becomes the foothold for a wider campaign, which is why we treat social engineering defence as the foundation rather than one item on a checklist.
Attackers increasingly use AI to write flawless, personalized messages, so the old advice to “watch for spelling mistakes” no longer holds. A message can be grammatically perfect, reference a real project, and still be fraudulent. Verification habits matter more than spotting typos.
How do attackers impersonate IT support?
A fast-growing social engineering tactic skips email entirely: the attacker contacts a user directly through a chat or remote-support tool, claims to be from IT or a trusted vendor, and asks for remote access to fix an urgent problem. The channel is what makes it effective. A message in Microsoft Teams or a session request through a tool like ScreenConnect feels far more legitimate than a cold email, so the usual phishing instincts never fire.
Once a user grants access, the attack moves fast. An impostor with a live remote session can install malware, copy sensitive data, and disconnect within minutes, often before anyone realizes the “support technician” was never from IT. Because none of this touches the email gateway, email-based phishing training does nothing to stop it. This is exactly why awareness has to extend beyond the inbox to every channel a user can be reached on.
Treat any unexpected request for remote access as hostile until proven otherwise, whether it arrives by email, phone, Microsoft Teams, or a remote-support tool such as ScreenConnect. Verify it through a known IT contact or your ticketing system before granting access. A real technician will never object to being verified.
Why isn’t security technology enough on its own?
Because every technical control still has a human in the loop, and that person can be persuaded to open the door. Firewalls, endpoint detection, and multi-factor authentication all raise the cost of an attack, but a user who approves a fraudulent MFA prompt or hands remote control to a fake technician has just walked the attacker past those defences. Technology narrows the attack surface; it does not remove the person standing in the middle of it.
99.9%
of automated account-compromise attacks are blocked by enabling multi-factor authentication (Microsoft)
That does not make the technology optional. Multi-factor authentication alone blocks the overwhelming majority of automated account attacks, according to Microsoft. The point is that controls and people reinforce each other. Layered technology catches the mistakes training misses, and trained users catch the attacks that slip past the tools.
Move your organization to phishing-resistant MFA (hardware keys or passkeys) for administrators and finance staff first. These accounts are the highest-value targets, and app-based push approvals can still be defeated by MFA fatigue attacks where a user taps “approve” just to stop the notifications.
How do you build a security-aware culture?
You build a security-aware culture by making safe behaviour routine and easy, not by running a once-a-year training video and hoping it sticks. The goal is an organization where staff recognize common attacks across every channel, follow simple verification habits, and feel safe reporting a mistake immediately. The following steps are the ones we put in place for clients, in order of impact.
Train regularly, in short sessions: Replace the annual marathon with brief, frequent refreshers covering email, phone, and chat-based attacks. People retain more from ten focused minutes each month than from a single long session they forget by lunch.
Verify every remote-access request: Teach staff that no one approves remote control of their workstation from an unexpected message or call, no matter how urgent it sounds. Confirm through a known IT contact or a ticket first, regardless of the channel it came through.
Run social engineering simulations: Send realistic phishing tests and, where possible, simulate impersonation attempts, then measure engagement and report rates. Simulations turn an abstract risk into a concrete, improvable number and show staff what a real attack feels like in a safe setting.
Enforce strong passwords and MFA: Require a password manager, block reused and breached passwords, and turn on multi-factor authentication everywhere it is available, starting with email and privileged accounts.
Make reporting easy and blameless: Give staff a one-click way to report a suspicious message or call, and thank them when they do, even for false alarms. The faster a real attack is reported, the smaller the damage.
This works. Across the clients where we run continuous simulations and short monthly training, we typically see engagement with test attacks fall from that 20 to 30 percent baseline into the single digits within a few cycles, and report rates climb at the same time. The cost of that program is trivial next to the alternative. IBM puts the global average cost of a data breach at US$4.88 million in 2024.
US$4.88M
average total cost of a data breach in 2024, the highest on record (IBM Cost of a Data Breach Report 2024)
The bottom line
The strongest cybersecurity strategy combines advanced security technology with continuous employee education. Technology alone cannot stop social engineering that convinces a person to open the door, whether by email, phone, or a remote-support tool, and awareness alone cannot catch what slips through. Reducing human error is the highest-leverage move most organizations can make to lower the risk of a successful attack and strengthen their overall security posture.
BALANCED+ is a Fortinet Authorized Partner, and our security engineers hold Fortinet NSE certifications, but we tell every client the same thing: the technology is only half the job. Our managed cybersecurity team runs social engineering testing and awareness training alongside the firewalls, monitoring, and MFA, so your people become a layer of defence rather than the weakest link. If you want to see where your staff stand today, a baseline social engineering assessment is a low-effort place to start.
Sources
- 2024 Data Breach Investigations Report, Verizon, 2024.
- One simple action you can take to prevent 99.9 percent of attacks on your accounts, Microsoft, 2019.
- Cost of a Data Breach Report 2024, IBM, 2024.