COMMENTARY: The 2024 Verizon Data Breach Investigations Report found that 68% of breaches involved a non-malicious human element, but this isn't just about individual employees making mistakes. It represents a massive vulnerability that's costing enterprises billions in lost data, fraudulent transactions, and broken consumer trust.
While cybercriminals traditionally focused on breaking through technical defenses, they've now transformed their approach to simply logging in using compromised credentials. They're weaponizing social engineering, phishing, and deepfakes — now supercharged by Generative AI (GenAI) — to exploit human touchpoints across the enterprise at unprecedented scale. Every compromised employee account becomes a gateway to sensitive systems, customer data, and financial assets.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Traditional security infrastructure technology — firewalls, endpoint protection, password policies —wasn't built for this evolution. These systems can't detect when a criminal uses valid credentials obtained through social engineering to access customer records, initiate wire transfers, or exfiltrate intellectual property.
The business impact has been staggering: In 2023 alone, enterprises lost $2.9 billion to business email compromise (BEC) attacks. Major brands saw their stock prices plummet after massive data breaches started with a single phished employee. And the reputational damage from losing customer data has become almost impossible to recover from in an era of eroding digital trust.
For enterprises to protect their assets, customers and reputation, they must implement continuous identity assurance across every business process — from employee onboarding to high-risk transactions.
Why attackers exploit human weakness
Phishing and social-engineering attacks have reached unprecedented sophistication, fueled by generative AI that lets attackers craft, scale, and adaptively tune their campaigns. These tools have changed what was once a manual process, making it easier than ever to exploit human psychology at scale.
The traditional enterprise response has been additive, with organizations layering on more security measures like frequent password resets, multiple authenticator apps, and 2FA requirements. While updating security practices has become crucial, simply adding friction isn't the answer — each new hurdle creates a cascade of challenges without necessarily improving security. Despite more authentication steps, attackers can still socially engineer users, and a determined attacker with sophisticated tools can often convince employees to bypass even complex security measures.
This creates mounting pressure on security and IT teams, which face surging support tickets as users struggle with password resets and locked accounts, growing complexity in managing multiple security platforms and vendors, increased manual review processes, and rising user frustration that often leads to security shortcuts. The ripple effects extend beyond security, impacting employee productivity, and satisfaction, IT resource allocation, business process efficiency, and overall operational costs.
Teams need to implement intelligent identity assurance that can detect and stop impersonation attempts without creating unnecessary friction. Organizations require security measures that scale efficiently, while maintaining user experience and reducing operational burden on IT teams.
GenAI makes social engineering attacks more numerous and more convincing
GenAI has fundamentally changed how cybercriminals execute social engineering campaigns. It's dramatically reduced the time and effort needed to create convincing attacks, while simultaneously making these attacks more effective at deceiving employees. Here are two critical ways GenAI amplifies these threats:
How to strengthen workforce security
Protecting the workforce doesn’t have to create more headaches for the team. Companies need to adopt smart, seamless security measures that address vulnerabilities without slowing people down. Targeting critical moments and using adaptive tools can help safeguard systems while keeping employee experiences smooth. Here are a few strategies teams can apply:
Enterprises can protect their workforce and critical systems without creating unnecessary barriers, striking the perfect balance between security and usability.
Today's criminals use AI-powered social engineering to target the workforce, striking during critical business moments to steal data and drain funds through convincing impersonation attacks.
Strengthening identity verification means protecting the bottom line. By embedding intelligent verification into important workflows, organizations can stop sophisticated impersonation attempts before they result in costly breaches or fraud, while giving Infosec teams more data and time to stay on top of emerging threats.
Today, a single successful attack can lead to millions in losses. That's why companies need to implement intelligent identity verification to protect the organization's assets and prevent devastating financial damage.
Rick Song, chief executive officer, Persona
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
