Persistent Failures in Cybersecurity Awareness Training and Human-Centric Defenses
Despite years of investment in cybersecurity awareness campaigns and training, organizations continue to struggle with fundamental security issues such as poor password hygiene and susceptibility to phishing attacks. A recent discussion among cybersecurity journalists highlighted that nearly 30% of companies still rely on outdated password policies, while only a small fraction have adopted more secure passphrase approaches recommended by experts. The persistence of these problems underscores the limited effectiveness of current training programs, even as organizations face increasingly sophisticated threats targeting human vulnerabilities.
The ongoing challenges are exacerbated by the shift to hybrid workforces, which has rendered traditional perimeter-based security models obsolete and increased the attack surface for social engineering and credential-based attacks. Security experts emphasize the need for organizations to move beyond checkbox training and adopt more robust identity and behavioral detection strategies, as threat actors like Scattered Spider exploit weaknesses in identity systems and cloud environments. The failure to address these human-centric risks leaves organizations exposed to both basic and advanced cyber threats, highlighting the urgent need for a strategic overhaul of security awareness and identity protection measures.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Dark Reading reports continued failure of traditional security awareness training
Dark Reading reported that organizations still struggle with poor password hygiene and phishing susceptibility, citing expert views that conventional awareness training has not meaningfully changed risky behavior. The article emphasized calls for behavior-focused security programs grounded in behavioral science.
Poll finds widespread weak password policies and phishing failures
During Cybersecurity Awareness Month 2025, a poll found that nearly 30% of companies still used 8-character password policies, only 17% had adopted passphrases, and 64% of executives admitted clicking phishing links. The findings highlighted persistent human-factor security weaknesses despite years of awareness efforts.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Same Old Security Problems: Cyber Training Still Fails Miserably
darkreading.com
Open sourceDefending the Modern Identity Stack: Scattered Spider and the New Era of Identity Warfare
softwareanalyst.substack.com
Open sourceHybrid Workforce Security and Dark Web Monitoring
foresiet.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cybersecurity Awareness Guidance for Handling Suspicious Links and Employee Training
Cybersecurity Awareness Month serves as a critical reminder of the persistent risks posed by human error in cybersecurity, with a significant proportion of breaches attributed to avoidable user actions. When individuals click on suspicious links, immediate and structured responses are essential to mitigate potential threats. For work devices, the recommended action is to promptly contact IT support and adhere to established incident response protocols, as organizations often have specific tools and policies for investigating and remediating such incidents. On personal devices, users are advised to exit the browser, check for and delete any unauthorized downloads, and monitor for unusual device behavior such as increased battery drain, app crashes, or the appearance of unknown applications. If credentials are entered on a phishing site, it is crucial to change passwords immediately, force logouts on all devices, and remain vigilant for unauthorized multifactor authentication prompts, which could indicate active attempts to compromise accounts. These steps are designed to contain threats, prevent further compromise, and reduce the risk of follow-up attacks. Despite significant investments in security infrastructure, the majority of breaches still stem from human mistakes, highlighting the limitations of traditional security awareness training (SAT). Many employees find conventional SAT repetitive and disconnected from real-world threats, leading to disengagement and limited effectiveness. Modern cyber threats, including AI-driven phishing and social engineering, require adaptive and personalized training approaches. Just-in-time coaching, which provides immediate guidance when risky behavior is detected, can reinforce correct responses and improve knowledge retention. Personalizing training based on an employee’s role, risk profile, and observed behaviors ensures that content is relevant and impactful. The overarching goal is to transform employees from potential liabilities into active defenders by fostering behavioral change rather than mere compliance. Organizations are encouraged to adopt smarter, AI-enabled training solutions that address the evolving tactics of adversaries and bridge the gap between awareness and effective action. By combining technical response protocols with modernized training, both individuals and organizations can better defend against the growing sophistication of cyber threats. Continuous education, real-time feedback, and a focus on practical, scenario-based learning are key to reducing the risk of successful attacks initiated through user actions. Ultimately, a proactive and informed workforce is essential for maintaining robust cybersecurity defenses in the face of ever-changing threats.
Mar 21, 2026
Human Element Risks and Defenses in Cybersecurity
Cybersecurity experts are increasingly emphasizing the critical role that human behavior plays in both enabling and defending against cyber threats. Despite significant advancements in technical security controls, attackers continue to exploit human vulnerabilities through tactics such as phishing and social engineering. These attacks often succeed by manipulating emotions like urgency, fear, and friendliness, which can lead employees to inadvertently compromise organizational security. Burnout among staff, overly complex security controls, and a lack of engagement further exacerbate these risks, making organizations more susceptible to breaches. Security leaders are recognizing that technology alone cannot address these challenges; instead, a holistic approach that integrates human factors is essential. Practical strategies for mitigating these risks include connecting security responsibilities to every role within the organization, ensuring that security training is both engaging and relevant, and designing controls that prioritize usability. By fostering a culture of security awareness and making employees active participants in defense, organizations can transform the human element from a liability into a competitive advantage. The relationship between humans and artificial intelligence (AI) is also emerging as a new frontier in cybersecurity, with the potential for both increased risk and enhanced defense. As AI systems become more integrated into business processes, securing the interactions between humans and AI becomes paramount. This includes ensuring that AI-driven tools are not only technically robust but also that users understand their limitations and potential for misuse. Security awareness programs must evolve to address the unique challenges posed by AI, such as the risk of overreliance or manipulation of AI outputs. Organizations are encouraged to adopt a proactive stance, continuously assessing and adapting their human-centric security measures in response to evolving threats. The ultimate goal is to create an environment where employees are empowered to recognize and respond to threats effectively, supported by both technology and a strong security culture. By addressing the human factor comprehensively, organizations can significantly reduce the likelihood of successful cyberattacks. This approach requires ongoing commitment from leadership, investment in training, and a willingness to adapt security practices to the realities of human behavior. As the threat landscape evolves, the synergy between human awareness and technological controls will remain a cornerstone of effective cybersecurity defense.
Mar 21, 2026
Cybersecurity Awareness Month Initiatives and the Ongoing Threat of Phishing
Cybersecurity Awareness Month, championed by the US National Cybersecurity Alliance and CISA, serves as a focal point for organizations and individuals to reinforce best practices in digital security. Despite the annual emphasis on education and awareness, phishing remains one of the most persistent and successful attack vectors targeting organizations worldwide. Security professionals continue to implement layered defenses, including robust identity management, multifactor authentication, and comprehensive user education, yet attackers adapt their tactics to bypass these controls. The identity industry has developed advanced authentication technologies specifically designed to resist phishing, but adoption rates remain low, leaving many organizations vulnerable. Phishing attacks often exploit human trust, as seen in campaigns that weaponize familiar brands such as Microsoft to lure victims into tech support scams. These scams use social engineering, fake system alerts, and deceptive user interfaces to trick users into divulging sensitive information or granting remote access. One recent campaign identified by the Cofense Phishing Defense Center used a payment lure, redirecting users through a fake CAPTCHA challenge to a malicious landing page, ultimately locking the browser and escalating the scam. Such attacks demonstrate the evolving sophistication of phishing schemes and the importance of not relying solely on brand recognition for security. Security Awareness Month initiatives are effective in raising awareness and sparking important conversations about risk, but their impact can wane without ongoing reinforcement and structural changes. Organizations often see a decline in vigilance after the campaign period, leading to lapses such as weak passwords and misconfigurations. To address these gaps, experts advocate for continuous validation of identity, configuration, and privilege, as well as proactive threat hunting to detect and mitigate threats that bypass traditional awareness training. The combination of technical controls, user education, and active threat detection forms a more resilient defense against phishing and other cyber threats. Ultimately, while awareness campaigns are valuable, they must be part of a broader, sustained effort to build a cyber-strong organization capable of resisting evolving attack techniques. The ongoing challenge is to translate awareness into lasting behavioral change and technical resilience, ensuring that users remain vigilant and systems are continuously monitored for signs of compromise. As phishing tactics grow more sophisticated, organizations must adapt by integrating advanced authentication, regular training, and proactive security measures into their daily operations. The lessons of Cybersecurity Awareness Month highlight both the progress made and the work still required to effectively combat phishing and related threats.
Mar 21, 2026