Key Takeaways

• The human element is a factor in approximately 60 percent of all data breaches. It is the permanent variable in cybersecurity, not a temporary gap to close.
• Training addresses knowledge; culture addresses behavior. Culture determines how your organization responds when an employee makes an error under pressure.
• The most dangerous moment in a breach is not when the employee clicks the link. It is the time between that click and when someone reports it.
• Three practices that actually manage the human element: documented protocols every employee knows, ongoing reinforcement beyond annual training, and psychological safety around reporting.
• For organizations without dedicated IT staff, cybersecurity culture starts with the leader. If the executive director or owner treats it as a priority, the organization follows.

The One Constant

In thirty years of cybersecurity work, from breaches studied, incidents responded to, organizations advised, one factor is present in every single case. Not the technology that failed. Not the attacker who found the gap. The human element.

Not because people are careless or indifferent to security — but because imperfection is built into everything humans create. The systems we build carry our limitations with them. The processes we design have gaps we did not anticipate. The decisions we make under pressure are different from the decisions we make in theory. That is not a criticism. It is a fact of how human beings operate. And in cybersecurity, ignoring that fact does not make the risk go away. It just means the risk goes unmanaged.

The human element is the permanent variable in cybersecurity. It cannot be eliminated. It can only be managed through structure, training, and culture. Organizations that understand this are the ones still operating after an incident. Organizations that treat cybersecurity as a technology problem, buy the right tools, set up the right systems, and let the technology handle it, are the ones that get surprised.

The Numbers Make the Case

Research indicates that 80 percent of small businesses were targeted by a cyberattack in 2025. Eighty-seven percent of small businesses have customer data that could be compromised in an attack. Those numbers describe exposure. They tell you that the threat is broadly distributed and that most small organizations are sitting on data that is valuable to a malicious actor, whether they recognize it or not.

What the numbers do not capture is the mechanism. How do attackers actually get in? In the overwhelming majority of cases, they go through the human layer. Phishing emails. Social engineering calls. Credential theft from employees who reused a password or clicked a link under time pressure. According to the Verizon 2025 Data Breach Investigations Report, the human element was a factor in approximately 60 percent of all breaches. When you include social engineering attacks, which are specifically designed to exploit human psychology rather than technical vulnerabilities, that share rises further still. Sprinto’s 2025 analysis found that 98 percent of attacks involve social engineering in some form.

For small businesses and nonprofits, this matters in a specific way. Large enterprises have security operations centers, dedicated IT teams, and technical controls layered throughout their environments. A sophisticated phishing email or social engineering call may still get through, but there are multiple systems designed to catch it before it causes damage. Your organization likely does not have those layers. If an employee clicks a malicious link or provides credentials to someone impersonating your bank, your cloud vendor, or your payroll processor, the path from that single action to a fully compromised environment can be very short.

This Is Not a Training Problem. It Is a Culture Problem.

What Training Does and Does Not Do

The typical organizational response to the human element in cybersecurity is security awareness training. Run a phishing simulation. Hold an annual training session. Send employees a reminder about strong passwords. That work has value. It is not wrong to do it. But it is not sufficient to address the underlying risk, and treating it as a solution rather than a component of a solution leaves organizations exposed.

Here is why. Training addresses knowledge. Culture addresses behavior. They are not the same thing. An employee who completes a phishing awareness training session and then, three months later, receives a sophisticated, personalized email that appears to come from a trusted source, the county health department, a longtime vendor, the executive director’s personal email address, is going to make a judgment call under pressure, in the middle of a busy workday, with incomplete information. Training increases the odds they make the right call. Culture determines how the organization responds when they do not.

What Actually Works

The organizations that manage the human element effectively do three things.

First, they build structure: documented processes for how to handle suspicious emails, who to notify when something looks wrong, and what steps to follow when a potential incident is identified — not a thirty-page policy document, but a clear, practiced protocol that every employee knows.

Second, they maintain ongoing reinforcement: regular, short touchpoints that keep security awareness active rather than treating it as a once-a-year event. Third, they create psychological safety around reporting: an environment where an employee who clicked a suspicious link tells someone immediately rather than hoping nothing happens, because they know they will not be blamed for making the call under pressure.

That third element is often the missing one. The most dangerous moment in a breach is not when the employee clicks the link. It is the window of time between when they realize something may have gone wrong and when they tell someone. Every hour that window stays open, the damage compounds.

What This Means for Your Organization

The Operational Foundation

The human element cannot be removed from your security profile. Your organization is made up of people who bring dedication, expertise, and judgment to their work every day. They will also, at some point, make decisions under pressure that create openings for an attacker. Planning for that is not pessimism. It is an operational reality.

For a small business or nonprofit, the practical starting point is the foundational layer that makes everything else possible: multi-factor authentication on all accounts, so that a compromised password alone does not hand an attacker access to your systems; endpoint detection and response on all devices, so that if a device is compromised, you know about it before the damage spreads; a basic incident response protocol, so that when an employee notices something wrong, they know exactly who to call and what to do next.

For individuals managing business and personal accounts in the same digital environment, I walk through this operational thinking in detail in Compartmentalization: The Enterprise-Level Strategy That Protects Your Digital Life, separating access into discrete credential buckets so a single compromised account cannot cascade through your entire digital life. The companion episode, Ep 6: The New Rules of Personal Cyber Safety In 2026, covers the full strategy.

Culture Starts at the Top

Security awareness training is appropriate and valuable on top of that foundation, not as a substitute for structure, but as reinforcement for a culture that treats cybersecurity as a shared responsibility rather than the IT department’s problem. For organizations without a dedicated IT staff, that culture starts with the leader. If the executive director or business owner treats cybersecurity as a priority, the organization will treat it as a priority.

The community organizations, businesses, and nonprofits that serve Chicago and communities like it are doing irreplaceable work. The people who depend on what you do, your clients, your customers, your neighbors, need your organization to stay operational. Managing the human element is how you protect that mission. It is not a technology problem with a technology solution. It is an operational and leadership problem with an operational and leadership solution. And it is available to every organization, at every size, at a level of investment proportionate to their resources.

Helping organizations understand and manage the human element of cybersecurity risk is at the core of what we do at Data Defenders.

Also Recommended

• You Don’t Have to Be a Big Target to Be the Next Victim
• No Longer a Small Fish: Why AI and Quantum Computing Make Every Business a Target
• Compartmentalization: The Enterprise-Level Strategy That Protects Your Digital Life
• Ep 6: The New Rules of Personal Cyber Safety In 2026

For ongoing conversations on what cybersecurity operations actually look like for organizations like yours, The Cyber Resilience Report covers the real decisions behind building a defensible operation.

Frequently Asked Questions

Q: If my employees are the biggest risk, should I limit what systems they can access?

A: Restricting access to what employees actually need to do their jobs, called privilege access management, is a foundational security practice. But limiting access is a structural control, not a substitute for culture. An employee with minimal access can still fall for a phishing email that hands an attacker credentials for the systems they do have access to. Structure and culture work together; neither is sufficient alone.

Q: What makes a phishing email so effective against employees who have completed security training?

A: The most effective phishing attacks are personalized, contextual, and arrive when the recipient is under time pressure. Training builds awareness of what to look for in a generalized sense. AI-powered phishing generates emails specific to the recipient, appearing from trusted contacts with relevant context. The gap between what training prepares employees for and what sophisticated phishing actually looks like is where most successful attacks occur.

Q: What does psychological safety around security reporting actually look like in practice?

A: It means that when an employee clicks a suspicious link or responds to what they later realize was a phishing attempt, their first instinct is to tell someone immediately, not to wait and hope nothing happens. That instinct is created by leadership behavior: how the organization responds when someone reports an error, and whether reporting is treated as a contribution to security or as evidence of a mistake. The window between when an employee realizes something may have gone wrong and when they tell someone is often where the most damage accumulates.

Q: Is annual security awareness training enough?

A: Annual training is better than no training. It is not sufficient as a stand-alone approach. Security awareness needs ongoing reinforcement through shorter, more frequent touchpoints that keep the material active rather than treating it as a compliance checkbox. The threat environment also evolves faster than an annual training cycle can track, particularly as AI-generated phishing becomes more sophisticated.

Q: What is the most important single action a small business owner or nonprofit director can take to reduce human element risk?

A: Make cybersecurity decisions visible. When leadership follows multi-factor authentication requirements, reports suspicious emails, and asks about the security of new tools before adopting them, the organization follows. Culture is set from the top, and the most powerful signal available to any leader is their own consistent behavior.

Q: How is AI changing the human element risk for small businesses?

A: AI enables attackers to generate phishing emails at scale that are personalized, grammatically correct, and contextually relevant, eliminating the obvious errors that security training has traditionally taught employees to recognize. This raises the baseline sophistication of what employees encounter without raising their ability to detect it. The implication is that technical controls, including multi-factor authentication and endpoint detection, become more important because they reduce dependency on every employee making the correct judgment call every time.

Q: At what point should a small business bring in outside cybersecurity help?

A: The threshold is not a company size or specific revenue figure. It is the point where your existing staff cannot realistically maintain the practices described in this article alongside their primary work. If multi-factor authentication and a documented incident response protocol are in place and functioning, you have the foundation. If those fundamentals are not in place, or if your organization holds significant customer data in a regulated industry such as healthcare or financial services, outside expertise accelerates the foundational work considerably.

Sources

• Verizon Business. “2025 Data Breach Investigations Report.” Verizon, 2025. (human element factor in ~60% of breaches)

• ConnectWise / Vanson Bourne. “The State of SMB Cybersecurity in 2024.” June 2024.

• Sprinto. “2025 Social Engineering and Cybersecurity Analysis.” 2025. (98% of attacks involve social engineering in some form)

About the Author

Cyrus J. Walker III, CCFE is the Founder and CEO of Data Defenders, LLC® — is a Chicago-based Managed Cybersecurity Operations Provider (MCOP) serving SMBs, nonprofits, municipal governments, and enterprises. With 30 years of experience spanning cybersecurity operations, digital forensics, and civic leadership, he has trained over 5,000 federal, state, and local law enforcement professionals, advised the U.S. Department of Homeland Security on election infrastructure security, and appeared on CNN, Bloomberg, Forbes, ABC, CBS, NBC, Fox, and NewsNation.