Humans Are the Weakest Link—But Which Humans?
Why Cybersecurity Failures Are Leadership Failures, Not User Mistakes
For years, cybersecurity professionals have echoed the phrase: “Humans are the weakest link.” It’s often used to explain why phishing attacks succeed, why credentials get stolen, and why ransomware spreads. The assumption? That end users—everyday employees working with computers—are the primary culprits.
But I believe that we’ve been looking at it the wrong way.
The real weak link isn’t the employees clicking on malicious emails, but rather the decision-makers responsible for securing the organization. At least, both users and those responsible for cybersecurity should share the label.
Rethinking the “Weakest Link” Narrative
Consider a common scenario: A company suffers a major security breach after an employee’s credentials are leaked on the dark web. The credentials were valid because multi-factor authentication (MFA) wasn’t enabled.
One would consider this un-thinkable nowadays, but last year’s breaches at UnitedHealth Group and Snowflake show that this happens more often than not.
Now, let’s ask: Who was the actual weak link?
The employee whose password was leaked?
The IT administrator who didn’t enforce MFA?
The CISO who didn’t prioritize MFA in the company’s security policy?
The budget owner who refused to allocate resources for security improvements?
If we focus only on the end user, we ignore the systemic failures that allowed the breach to happen. Users are only as strong as the security environment built around them, and no cybersecurity awareness training will fix that.
Failures in Basic Cyber Hygiene
Beyond MFA, there are numerous cybersecurity practices that are well-documented yet frequently neglected. Unpatched and outdated systems, vulnerable applications, lack of backup and recovery, poor endpoint protection… these basic hygiene recommendations have not changed since the dawn of computers.
However, many breaches start because one of them have not been properly in place. Who is responsible when organizations fail to implement them?
Patching known vulnerabilities is a fundamental security task. Yet, many breaches occur due to unpatched software—sometimes for months or even years after a fix is available. This isn’t an employee clicking a bad link; it’s a failure of IT and security leadership to maintain a structured patch management process.
Beyond the Commonly Recommended Best Practices
Besides these widely known cyber hygiene practices, there are simple yet powerful ways to minimize problems. For example, phishing remains one of the most effective attack vectors.
Yet, many organizations do not implement simple email authentication protocols like SPF, DKIM, and DMARC—measures that could significantly reduce phishing attempts that appear to come from legitimate sources.
A provider of solutions that can support organizations in improving their email security posture, Sendmarc, has found that the majority of organizations have at least one of those controls poorly implemented or not present at all.
Appropriate DMARC configuration would reduce email impersonation close to zero. If employees receive convincing phishing emails, should we blame them for falling for it, or the security team for failing to prevent those emails from reaching inboxes in the first place?
There’s more…
Some say that Identity is the new perimeter, and considering the amount of SaaS and Cloud applications that businesses are using, that definitely makes sense. But, the majority of companies around the world have poor or non-existent best practices in place to manage identities and their privileges.
Considering that at least 1/3 of breaches start inside an organization, how security teams continue to have issues to prioritize appropriate identity and privilege management?
The Real Responsibility: Cybersecurity Leaders (kind of)
Cybersecurity is not just a technical problem—it’s a leadership and accountability problem. Blaming users for security failures is easy, but it ignores the real issue: security is an organizational responsibility.
If security is weak, it’s not because employees are careless—it’s because leadership hasn’t built a resilient security culture.
That doesn’t mean everything is on the shoulders of the CISO or Cybersecurity team. They definitely have their own challenges to address. In an industry that has de-prioritized prevention and has become more complex, their resources and tools can be scarce.
However, the focus should shift from blaming users to system resilience, and to make sure the basic security measures are in place. All business leaders need to ensure that security is a part of their organization before an attack and not an afterthought.
At the end of the day, Cybersecurity leaders as well as those responsible for budgets and resources within an organization must acknowledge that the strength - or weakness - of an organization’s cybersecurity posture rests on their shoulders.
It’s time to move beyond the outdated narrative that “humans are the weakest link” and ask the real question: Which humans are responsible for making cybersecurity stronger?
I would like companies (but also public organizations) to start realizing what you are writing about. Although, in my opinion, the problem is not always the incompetence of leaders, but the lack of them. Sometimes it's due to management unawareness, and sometimes it's due to lack of resources. Small companies often think they can't afford an extra full-time employee, let alone an entire security team. That's why some time ago we started working with a group of friends on a community project that could be called “safety ambassadors.” We share our knowledge with organizations that want it, and create a SPOC in such an organization. We are mainly talking about public offices, schools, hospitals. Then such an SPOC, in case they don't know what to do in a particular case (or where to even start), they can come to us for advice. Over time, they will be able to implement just those basic principles of cyber hygiene you write about. And sometimes that's enough to make a bad actor give up on attacking a particular site and look for an easier target.