New research proves we have to focus on human behaviour

Help build a more resilient future – with insights and inspiration from the global Black Hat MEA community, in your inbox every week. 

This week we’re focused on…

Why cybersecurity leaders need to keep their focus on human behaviour. 

Why? 

Because on the blog this week we dug into two new cybersecurity reports: one that shows security teams need to understand threat actor behaviour, and one that highlighted how vulnerable organisations are to vendor email compromise (VEC) attacks. 

Both reports are packed with data that tells an important story about what’s really important in cybersecurity right now – and the moral of that story is that it’s all about people. Everyone’s a frontline player in cyber defence; from entry-level employees to trusted vendors. 

And unless they’re educated, they’re vulnerable. 

As Omar Khawaja (CISO at Databricks) told us, 

“I used to think technical security controls were the most important part of a security program, then I realised it was important to not just have controls but for the controls to be part of some comprehensive framework (compliance!). Then I evolved my thinking to consider the business as the most important stakeholder (risk management). Along the way, I learned that in a complex organisation, people and process are immensely more important than technical controls.”

Today’s threat landscape demands that everyone experiences this shift in perspective. 

New data, same problem: Human vulnerability 

According to the latest Abnormal Security report, threats are arriving thick and fast in our inboxes; and VEC attacks are proving especially dangerous:

• 44% of employees engaged with VEC attacks (either replying or forwarding the messages).
• In large enterprises, that engagement rate jumps to 72%.
• 98.5% of text-based email attacks go unreported.
• Attackers tried to steal over $300 million through vendor scams in a single year.

What makes these attacks so effective? They blend perfectly into normal business communication. Fake invoices, urgent payment requests, spoofed email threads – all crafted to look entirely legitimate. Sometimes they even come from real compromised vendor accounts.

So technical controls alone aren’t enough. Education is critical. And that education can’t be limited to your IT or security teams.

Employees and vendors are unprepared 

Nisreen Al Khatib (Expert in IS Risk Management, Data Privacy, and Cybersecurity Management) has spent years working on this issue. She told us:

“Cybersecurity awareness and education is one of the most challenging domains in cybersecurity...awareness and education touches all people who go online – and this covers a huge population with diverse knowledge, educational backgrounds, and security understanding.”

She emphasised that communication must be tailored to different audiences – because not everyone speaks the same technical language. What works for engineers won’t work for sales teams or finance admins. 

The report by Abnormal also showed that entry-level sales staff had an 86% engagement rate with VEC emails. That’s not because they’re careless – it’s because their jobs demand fast responses, high volume communication, and coordination with external parties. So without training that takes context into account, they’re an easy target for cybercriminals. 

Education must evolve with the threat 

Both Khawaja and Al Khatib pointed out that cybersecurity is, first and foremost, about people and processes. That means shifting from one-size-fits-all training to dynamic, role-specific education that evolves as threats evolve.

Al Khatib said:

“We can’t address cybersecurity education and awareness with the same old methods, or we will get the same disappointing results.”

Attackers are already using AI to customise their scams. They’re hijacking real email threads and impersonating real vendors. Meanwhile, many organisations are still rolling out static training modules and hoping for the best. The cybersecurity community needs to work together to change this. 

So what should cybersecurity leaders do now? 

1. Tailor training by role and risk. Prioritise high-risk departments like finance, project management, and sales. Build scenarios that reflect their actual workflows.
2. Extend education to vendors. If your vendors are compromised, so are you. Include them in awareness campaigns or offer joint security workshops.
3. Normalise and encourage reporting. With less than 2% of advanced attacks being reported, it’s clear that fear or apathy is winning. Change the culture – make reporting feel like a success, not a burden.
4. Invest in behavioural data. Understand how your people actually engage with emails and where the blind spots are.

Cybersecurity doesn’t happen in the server room 

It’s now woven into every conversation, every contract, and every inbox. The best security leaders today are educators, communicators, and behavioural strategists, as well as technologists. They need to see the bigger picture. 

Until we train everyone to recognise threats, we’ll keep seeing the same avoidable attacks succeed. It’s time to take education seriously – because everyone depends on it.