Are They Breaking In, Or Are You Letting Them In?
How AI and Human Risk Are Reshaping Cybersecurity
“Attackers don’t break in, they log in.” – Jody Westby
The battlefield has moved, is your organisation ready?
For the last decade, the conversations dominating cybersecurity have been around technology; concepts of bigger firewalls, smarter intrusion detection, better spam filters, and more sophisticated endpoint protection. The underlying promise was always the same: if you build the tech walls high enough and strong enough, what is outside cannot get in. It was a plausible theory… until now.
Mimecast’s “State of Human Risk 2026” report, drawn from a survey of 2,500 IT and security decision-makers across nine countries, delivers a finding that feels like a gut punch:
“Human risk has surpassed technology gaps as the defining cybersecurity challenge of our time.”
Anyone who has spent the last few years investing heavily in technical defences should seriously consider the previous sentence. Not because the technology has failed, but because the attackers have stopped trying to beat it. They bypass it entirely, instead targeting the people on the other side of the screen.
The numbers do not make for comfortable reading
The report estimates that a single insider-driven data exposure, loss, or theft event costs an organisation an average of $13.1 million. Organisations in the survey reported experiencing an average of six incidents like this per month, which works out to a projected annual loss of around $943.2 million. That figure is not a hypothetical worst-case scenario; it’s reality.
It’s the current operating reality for organisations that haven’t closed the gap between the security they think they have and the security risk that exists at the human layer. It’s the kind of gap that appears on a random Tuesday, when cybercriminals decide to switch from technical targets to the very human targets most companies never think to upskill.
It is a very large and very bleak gap.
- 91% of organisations face these kinds of problems when trying to force consistent employee compliance with security policy.
- 96% acknowledge that their protection is incomplete.
- And yet only 28% have managed to implement both regular cybersecurity awareness training and regular checks for instances where employees click on links at the same time.
The problem is not that organisations are unaware of their risk exposure. It is that this awareness has not translated into a culture of resilience within the organisation.
The battlefield has moved
Here is what has changed, and why the old model of security awareness is no longer good enough. The attack surface that organisations are defending has expanded past PCs in the office. Now, everyone brings at least one device with them to work, and each Internet of Things (IoT) device is an additional connection, an additional entry point into an already strained system covering every desk, device, and inbox in the building. What was once initially just an email security problem has become a multiple threat landscape.
For 71% of the organisations surveyed, negative business impact from attacks targeting collaboration tools like Microsoft Teams, Slack, and Zoom were expected in 2026. Thirty-eight percent rely on the controls built into those tools, and 64% believe that basic security controls built into them are not secure enough. 1
The attacker’s strategy has evolved to match these gaps, with modern attack chains no longer targeting a single channel. They start with a phishing email, shift to a phone call, move to a Teams message, and exploit the fact that security controls at each layer were designed to operate independently rather than as a connected system. Trusted enterprise platforms like DocuSign and SharePoint are weaponised easily because the built-in security tools are designed to trust them by default. The attackers are not hacking through the wall, they are walking in through the front door wearing a visitor’s badge, being greeted by everyone as they walk past.
AI has changed the stakes entirely
If the expansion of the threat surface shows us the current evolution in methods used, the arrival of AI can be seen as an offensive weapon potentially more damaging and insidious than we have seen before.
Sixty-nine percent of participants in the Mimecast report consider it inevitable that AI will be used in an attack against their organisation within the next 12 months. Eighty-two percent express concern about AI being weaponised as an attack vector, and 71% worry that their employees will fall victim to AI-enhanced social engineering.2
The concern is real and very valid. AI has removed the most recognisable traces of a phishing attempt: poor grammar, weird formatting, and the slightly off tone that security training taught employees to spot, are no longer reliable signals. AI-generated content is grammatically perfect, fits the narrative, and in some cases is personally tailored using information scraped from LinkedIn, company websites, or prior communications. Automated business email compromise (BEC) conversation chains can now be exchanged over weeks without human intervention. 3 AI-generated voice phishing can reproduce an executive’s voice with enough accuracy to convince a finance manager of a transfer request’s legitimacy, as in the Arup deepfake fraud case in 2024 4 and, more recently, Foschini in South Africa in 2025,5 illustrated.
The battlefield has not just expanded. With these two tactical adjustments, it has relocated. No longer does cybersecurity talk emanate solely from the SOC room or the IT department, where trained professionals monitor dashboards and respond to alerts. It is on every employee’s desktop, in every notification, every message, every request that arrives in the flow of a normal working day throughout the organisation.
The technical controls that security teams rely on were built to defend a perimeter that no longer reflects how people work, how attackers operate, or how AI is now shifting both simultaneously.
Only 40% of organisations report being fully prepared with specific strategies for AI-driven threats, leaving a 29% gap between those who believe AI attacks are coming and those who are ready for them. 6
Organisations are also more likely to have deployed AI-powered monitoring tools (48%) than they are to have trained employees to recognise AI-enhanced exploitation (44%) or created specific policies governing AI usage (41%). The technology investment is running ahead of the human capability it depends on for functioning, and less and less focus is being placed on the human behind the machine.
The three employees you are not thinking about
The report identifies three distinct user risk profiles that organisations are not giving enough attention to.
- The distracted employee, who poses a risk through careless behaviour rather than malicious intent, is the most recognised.
- The exploited employee, who is security-conscious but becomes a liability when threat actors specifically target them through social engineering.
- The malicious insider who deliberately abuses access, is perhaps the most uncomfortable to acknowledge, but no less real. Of the organisations, 42% reported an increase in threats from malicious insiders over the past year, exactly matching the 42% who reported a rise in negligent employee incidents.7
Each of these profiles requires a different response, and the response to one does not automatically address the others. Training the distracted employee does not prevent a targeted social engineering attack against a security-conscious one. Technical controls that detect malicious insiders do not stop a well-intentioned employee from clicking a convincing AI-generated link under time pressure. The 8% of employees who account for 80% of security incidents are not an easily recognisable group with a single vulnerability.8 They are people at different points on a risk spectrum, being targeted in different ways, and requiring training and awareness that is far more specific than a quarterly awareness module.
The gap where breaches happen
The phrase that the Mimecast report mentions repeatedly is “awareness-action gap,” and it is the most accurate explanation of where organisational cybersecurity breaks down. The issue is not that organisations do not know what they should be doing, it is that knowing and doing are separated by the very psychological mechanisms that attackers are specifically trained to exploit.
Cialdini’s influence principles: urgency, authority, and social proof, 9 don’t fail because employees are not intelligent. They succeed because they work on intelligent people under pressure, in the flow of real work, at the exact moment when cognitive load is highest and deliberate thinking is least available.
This is the insight that sits at the centre of everything Cyber Dexterity builds.
Most awareness training operates under the assumption that knowledge creates behaviour change. The research, from Kahneman’s work on System 1 and System 2 10 thinking to the cyberpsychology literature on the online disinhibition effect, 11 consistently shows otherwise. Knowledge is necessary but alone it is not enough, what truly changes behaviour is the kind of training that meets people in the moment of decision, that creates genuine pattern recognition rather than recall under pressure, and that is designed with an understanding of how the human mind actually processes threat in real time rather than how we wish it would.
Where Cyber Dexterity operates differently is exactly in this space.
Our programmes are built on behavioural science and cyberpsychology, not on compliance checklists. The gamified simulations, immersive escape room formats, scenario-based learning that puts people inside the decision rather than lecturing them about it from a safe distance, these are not aesthetic choices. They are choices grounded in the evidence that experiential learning creates durable behaviour change in a way that slide decks and annual training modules do not.
The Mimecast data confirms what we have been saying to clients for years, the organisations best placed to manage human risk are not the ones with the most tools or the highest training completion rates. They are the ones that have closed the gap between what people know and what they do when the pressure is real, the message looks legitimate, and the clock is ticking.
The battlefield has moved to everyone’s desktop, and cyber posture is now the front line of defence. We need to be ready every single time, while attackers only need one moment of success. That is the reality your organisation is operating in every day.
The question is, how invested you are in the people defending it? And are you doing the right things to be effective?Lets.engage@cyberdexterity.com
Basil Polydorou – Head of Learning Solutions | BsC Cyber Psychology Candidate
References
Cialdini, Robert B. Influence: The Psychology of Persuasion. HarperCollins, 2007.
Cronje, Jan. ‘Foschini Averts R22m Loss after Impostor Exec Dupes Employee’. Sect. News24. News24, 5 February 2026. https://www.news24.com/business/companies/foschini-averts-r22m-loss-after-impostor-exec-dupes-employee-20260205-0611.
David Elliott. ‘“This Happens More Frequently than People Realize”: Arup Chief on the Lessons Learned from a $25m Deepfake Crime’. World Economic Forum, 4 February 2025. https://www.weforum.org/stories/2025/02/deepfake-ai-cybercrime-arup/.
Kahneman, Daniel. Thinking, Fast and Slow. Penguin, 2011.
Mimecast. The Size and Shape of Workforce Risk. Mimecast, 2024. https://www.mimecast.com/resources/white-papers/the-size-and-shape-of-workforce-risk/.
Mimecast. The State of Human Risk 2026. Mimecast, 2026. https://www.mimecast.com/resources/ebooks/state-of-human-risk/.
Suler, John. ‘The Online Disinhibition Effect’. CyberPsychology & Behavior 7, no. 3 (2004): 321–26. https://doi.org/10.1089/1094931041291295.