When the weak link has a first and last name

We live in 2025, in an era where perimeter security is no longer defined by walls, but by microsegmentation, adaptive authentication, and behavioral analysis. Where EDRs no longer just detect but autonomously predict and block. Where XDRs enrich telemetry with generative AI and SOCs are hybrid, distributed, and 24x7. Even so, in the full post-zero trust era, the most recurrent entry vector still has a human face.

Attackers know this. That is why more and more APT and RaaS (Ransomware-as-a-Service) campaigns start not from a technical vulnerability, but from a cognitive weakness: an email with a legitimate appearance, a convincing call, a link that was not verified. The click that changed everything. Or, more precisely, the click that is repeated every day in thousands of organizations.

The precedent remains human: from Lapsus$ to the 2025 BEC campaigns

Although the Lapsus$ attack on NVIDIA in 2022 marked a milestone — with more than 71,000 credentials stolen after a simple social engineering access — the patterns have not changed, only become more sophisticated. So far in 2025, groups like Storm-1811 and Octo Tempest have exploited MFA fatigue and QR phishing techniques to infiltrate technology, healthcare, and European public sector companies. The use of real-time deepfakes to impersonate identities in video calls is no longer anecdotal but part of the offensive arsenal observed in the latest ENISA and CISA reports.

The first step of the kill chain — according to ATT&CK — remains Initial Access (TA0001), and the most used techniques are still linked to Phishing (T1566), Spearphishing Link (T1566.002), or Valid Accounts (T1078). In all these cases, the compromised link was not a firewall or an API: it was a person.

However, blaming an employee for not identifying a domain spoofing or falling for a voice deepfake is as ineffective as reproaching an operator for not knowing how to read an event log. The problem is not the human. It is not having given them the tools, training, and reflexes necessary to act with judgment and confidence. How many workers today would know how to identify a malicious QR code, a homoglyph domain, or a pretexting technique via WhatsApp Business?

Cybersecurity, if not lived, is not internalized. And if not internalized, it does not protect.

Traditional awareness plans, based on generic courses once a year, are as outdated as antivirus without heuristic analysis. A modern cyber-awareness program must be:

• Role-personalized: a developer doesn’t need the same as an administrative staff or a board member.

• Interactive and continuous: it’s not about training once, but reinforcing habits over time.

• Measurable and feedback-driven: every simulated phishing campaign must be accompanied by metrics, behavior analysis, and immediate feedback.

Additionally, it must include real scenarios as part of the training: Microsoft 365 spoofing, camouflaged QakBot campaigns, LinkedIn messages with files shared via OneDrive, and now also voice assistant manipulation with prompts designed to leak corporate information.

A solid cybersecurity culture is not born from technology nor decreed by internal policy. It is built day by day with leadership, consistency, and example. It happens when employees report a phishing attempt without clicking, when the management committee asks if accesses are audited, or when a salesperson knows that sharing a proposal with a third party requires encryption and digital signature.

Moving from “I didn't know” to “I don't fall for it” means transforming the perception of security: from bureaucratic obstacle to trust lever.

What to do from today?

If you lead an IT team, work as a CISO, or are simply part of the machinery that protects your company, here are some critical actions:

• Audit your current awareness program: is it updated to current threats? Is it role-specific?

• Introduce gamification, simulations, and crisis exercises: learn by doing, not just listening.

• Involve the leaders of each area: culture starts at the top, not in PowerPoints.

• Adapt training to today's digital reality: hybrid work, personal devices, mobility, generative AI, and uncontrolled SaaS applications.

Remember that the best firewall is still a trained, aware, and committed employee. Because the weakest link can also be the first shield if we give them the right tools.

And you, will you keep betting only on technology… or will you also train those who use it?

Beatriz Díaz, Training and Awareness Manager at Grupo Cybertix.