Neal Bradbury is Chief Product Officer at Barracuda.
Building true cyber resilience demands a blend of technical controls, cultural change, continuous training and constant adaptation.
Cyberattackers no longer need to force their way into IT systems. They simply insert themselves into the rhythm of everyday business and count on people to make the next move. That’s why human-targeted attacks continue to succeed, even in organizations with strong technical defenses.
Barracuda threat analysts uncovered a phishing campaign that underscores the scale and sophistication of this challenge. Attackers impersonated senior executives at construction firms and delivered convincing project notifications through the Autodesk Construction Cloud. The links led to a legitimate Autodesk-hosted page containing a ZIP file. Once opened, users were met with a captcha screen designed to harvest Microsoft login credentials. The infrastructure was real. The messages were credible. The exploitation was entirely and effectively human-driven.
While advanced AI-driven security tools dramatically improve visibility across systems and applications, they still can’t predict how a person will react to a convincing email requesting information or payment. That’s why true resilience requires more than technology. It demands a clear understanding of human-centric risk, tailored training that reflects how people work and visible leadership commitment to making secure behavior the norm.
Why Human-Focused Attacks Work
Email remains the most reliable entry point for attackers. It gives them a direct line to their targets and allows them to exploit routine business behavior without raising alarms.
Phishing attacks lure people into revealing credentials or approving fraudulent requests that appear legitimate, with the number of active phishing kits doubling in 2025. Conversation hijacking takes this a step further: Instead of initiating a new message, attackers insert themselves into an existing email thread and subtly introduce a request for sensitive information or payment.
Account takeover is even harder to detect. Using stolen credentials, attackers access an employee’s mailbox, observe normal communication patterns and wait for the ideal moment to act. They may set up forwarding rules to stay hidden. When they finally send a message, it comes from a trusted account—making it difficult for both people and security tools to distinguish the fraud.
Human-targeted attacks exploit everyday workflows, which means training must be tailored to the specific behaviors and risks within each team. When training reflects real-world scenarios, employees are far better equipped to recognize and disrupt attacks.
Determining Risk
Not all teams face the same threats. The Association for Financial Professionals reports that business email compromise (BEC)—a type of impersonation attack that exploits organizational processes—remains one of the most common forms of payments fraud. Finance and accounts payable teams are key targets for BEC attacks as they regularly process payments and vendor updates. Executives face a different set of risks: Their authority and visibility make impersonation attempts more convincing and more damaging.
Treating every employee as if they face identical threats overlooks these nuances. A risk-based approach helps correct that imbalance. Resources like the NIST Cybersecurity Framework offer a structured way to assess exposure, prioritize controls and measure progress. They help leaders prioritize the attacks that matter most and train accordingly.
Tailoring Training To How People Work
For organizations without formal security training, the first step is simply creating shared awareness. Employees need a basic understanding of the risks they’re most likely to encounter and clarity on how the organization expects them to respond when something doesn’t look right. Establishing this baseline ensures everyone speaks the same language about security.
But awareness can’t be one‑size‑fits‑all. Different teams interact with risk in very different ways. Finance and accounts payable teams, for example, routinely handle high‑value transactions and see a disproportionate number of business email compromise attempts. Their day‑to‑day decisions carry immediate financial impact, which means they need guidance tailored to the specific threats embedded in their workflows.
Training should be continuous but also targeted and actionable. Ongoing education and feedback help employees recognize emerging tactics and reinforce secure habits over time. Tabletop exercises are especially valuable because they walk teams through realistic, hypothetical attack scenarios in a low‑pressure setting. These discussions test how people think, communicate and make decisions during an incident, while also revealing gaps in processes or assumptions that might otherwise go unnoticed.
As generative AI becomes more embedded in daily workflows, training must also address data privacy. Employees need clear guidance on when AI tools are appropriate, and what information should never be entered into public systems.
Strengthening The Fundamentals
Defending against human-targeted attacks still depends on strong fundamentals: segmentation, backup and recovery. When these controls are weak or inconsistently applied, attackers don’t need sophisticated techniques to cause significant damage.
Segmentation acts as a series of firebreaks, limiting lateral movement if an attacker gains access through a compromised account. Backup and recovery plans serve a similar purpose. They don’t prevent attacks, but they determine how quickly a business can return to normal operations.
Incident response planning ties these elements together. Teams must know exactly what to do when they encounter a suspicious email or unauthorized request. Without practice, even well documented plans can falter under pressure. Technology strengthens these fundamentals, but it cannot replace them.
Why Security Needs To Be Everyone’s Responsibility
Controls and training only work when security is treated as a shared responsibility. Culture matters.
Leadership plays a defining role. One practical way to embed security into your culture is to start every meeting with a short discussion of a security issue, reinforcing that security is a shared responsibility across the organization. That message is even more important today, as attackers increasingly impersonate executives and rely on authority and urgency to override good judgment.
No AI-powered tool can catch every attack that targets people. Improving security and overall resilience requires proactive steps: adopting a risk-based approach to identify and prioritize vulnerabilities, delivering training that reflects real team workflows and reinforcing core practices like segmentation and incident response.
Leaders must model secure behavior and embed security into everyday decision making. The path to strong security and resilience starts with an honest assessment of current risks and a clear road map for improvement. The cost of inaction is greater than the investment in preparation.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
