CISOs, shift your focus from pursuing vulnerabilities to effectively managing human risk for improved SEO.

Breaches continue to escalate in scale and speed, yet the most vulnerable point remains unchanged: people. According to Dune Security’s 2025 CISO Risk Intelligence Survey, over 90 per cent of incidents still stem from user behaviour rather than technical flaws. The survey indicates that attackers have adapted their methods, leaving enterprise defences struggling to keep pace. While every enterprise surveyed simulates email phishing, most do not extend their testing to other channels. Attackers have expanded their tactics to include encrypted messaging apps, SMS, voice calls, and collaboration platforms, which security teams rarely monitor. Sixty-four per cent of organisations reported a malicious social engineering attempt through these informal channels in the past year. None of the surveyed CISOs indicated that they simulated attacks over platforms like WhatsApp or Signal, and confidence in employees’ ability to identify threats in these areas is notably low.

David DellaPelle, CEO of Dune Security, emphasises that attackers exploit the blind spots where enterprises lack defence. Legacy Security Awareness Training (SAT) programmes focus primarily on outdated email threats, while real breaches now initiate in high-trust, low-visibility channels. This gap allows attackers to manipulate trust in seemingly routine communications, such as fake executive messages on Teams or spoofed IT support in Slack. Furthermore, most organisations test basic phishing scenarios, but only 18 per cent tailor simulations to user roles and behaviours, despite 91 per cent of CISOs believing this is necessary. The lack of personalisation diminishes the effectiveness of awareness efforts, especially as attackers refine their tactics using AI-generated messages. Behavioural simulation data reveals that AI-personalised emails generate three times more user interaction than traditional templates. Despite widespread email testing, only 26 per cent of CISOs express high confidence in their users’ ability to detect phishing in real-world conditions. The survey also highlights a shift in the definition of insider risk, with compromised and negligent users now posing significant threats alongside traditional malicious insiders. Many security leaders feel unprepared to address insider threats and acknowledge gaps in monitoring mobile devices, collaboration tools, and encrypted messaging. Without adequate oversight and training in these areas, insider attacks often go undetected until it is too late. 

Categories: User Behavior, Attack Vectors, Insider Threats 

Tags: Breaches, User Behavior, Social Engineering, Encrypted Messaging, Phishing, Insider Threat, Simulation, Training, AI-Generated Messages, Enterprise Defenses