A few days ago, my friend Javvad Malik—a sharp voice in our industry and someone I trust—shared something that made me stop and think. Javvad, KnowBe4’s security awareness advocate, summed up the state of things beautifully:

“Cyber risk is not just about advanced technology; it is about human bandwidth and the cognitive load of today’s fast-paced digital workplace.”

Now, I’ve been around this industry long enough to see the threat landscape evolve from script kiddies in basements to AI-powered cybercrime syndicates operating at nation-state scale. And yet, here we are in 2025—and what’s the biggest reason for security breaches today? Not ransomware. Not zero-days. Not even deepfake phishing. It’s good old-fashioned human distraction.

Let that sink in.

The KnowBe4 Wake-Up Call

According to a recent KnowBe4 study unveiled at Infosecurity Europe, 43% of cybersecurity professionals say the primary reason organizations fall victim to cyberattacks is employee distraction. That’s right—more than lack of training, more than pressure to act fast, more than even the sophistication of the threats themselves.

Let’s break that down:

– 41% still point to a lack of awareness training.

– 33% cite pressure to act quickly.

– 31% blame fatigue and burnout.

– But only 17.1% believe it’s the sophistication of threats that’s actually causing the problem.

It’s a damning indictment of our current culture—one that’s moving too fast, working too long, and thinking too little about the human element of cybersecurity.

Security at the Top—But Not the Bottom?

There’s no doubt that in boardrooms and C-suites around the globe, cybersecurity is top of mind. It’s front and center in risk assessments, investor decks, and quarterly audits. And that’s a good thing. But here’s the problem: that urgency isn’t filtering down.

At the operational level—among employees juggling Zoom calls, Slack threads, deadlines, and endless notifications—security awareness is still an afterthought. It’s buried beneath a mountain of other priorities.

I see it firsthand. Even here at Techstrong, we’re constantly fighting off phishing and smishing attempts that impersonate me, targeting our team with fake requests for gift cards, phone numbers, or urgent help. The messages are slick. The tone mimics me. The timing is deliberate—sent during peak work hours, designed to hit when folks are distracted.

And guess what? They still get bites.

Phishing Isn’t New—But It’s Getting Smarter

The KnowBe4 survey found 74% of threats today still revolve around phishing. The twist? Social engineering is evolving—47% of attacks now involve impersonation of senior leadership. That stat hit home hard. I’ve seen my name used in enough fake messages to know this tactic is alive and thriving.

Then there’s the AI factor. While only 11% of respondents currently see AI-generated attacks as a primary concern, a staggering 60% say they’re worried about future threats like deepfakes, AI-generated emails, and synthetic identity fraud.

We’re standing on the edge of something big—and our weakest point is still our people.

Futurum Research recently highlighted this very intersection, pointing out that while advanced threats such as AI-powered phishing and deepfakes are increasing, human error remains the leading cause of breaches—underscoring that “employee distraction and cognitive overload are the new zero-days. 

Budgeting Blind Spots & the Confidence Trap

Here’s another eye-opener: 90% of orgs believe they’re prepared for a cyberattack, even as most admit to regular incidents. That’s not confidence—it’s delusion. Or at the very least, wishful thinking.

Sure, 65% plan to increase cybersecurity spending this year:

– 45% toward email security,

– 37% for awareness training,

– 34% for cloud security.

But while 32% believe AI tools will be game-changing, only 26% are investing in them. This mismatch—between belief and budget—isn’t just inefficient. It’s dangerous.

According to Futurum’s State of Cybersecurity 2024 report, organizations are “overestimating their readiness while underinvesting in the human side of security controls.” The same report warns that failing to address human risk factors—like distraction, burnout, and training fatigue—will keep organizations vulnerable no matter how much they spend on technology.

So, What Now? Human Risk Is Business Risk

Let me be clear: throwing more tech at the problem won’t fix it. The firewall isn’t failing—the human firewall is. And we need to start treating it like the mission-critical infrastructure it is.

Here’s what I believe we need to do:

1. Design for Distraction: Assume your employees are busy, tired, and distracted—because they are. Security protocols, alerts, and training must meet them where they are, not where we wish they were.

2. Redesign Training for the Real World: Security awareness programs can’t just be once-a-year slide decks. They need to be contextual, engaging, and persistent—like microlearning nudges or scenario-based exercises woven into the workday.

3. Invest in Behavior, Not Just Tech: We spend millions on endpoint detection but pennies on employee focus. Let’s redirect some of that spend toward tools that promote digital wellness, reduce overload, and foster security habits, not just compliance checkboxes.

4. Make the Human Firewall a KPI: Security metrics should include behavioral indicators—like phishing test responses, response times to potential threats, or even awareness sentiment. If you can’t measure it, you can’t improve it.

The Bottom Line

Cybersecurity isn’t just a tech problem or a compliance box. It’s a cultural challenge, a cognitive load issue, and a leadership imperative.

As Javvad said—it’s about bandwidth. And right now, our people are maxed out.

So the next time you’re tempted to blame a breach on some hacker halfway across the world, ask yourself: Are we really protecting our most vulnerable attack surface—the distracted, overloaded human sitting right next to us?

It’s time we stop ignoring the obvious. Because distraction isn’t just a nuisance.  

It’s the new zero-day.

Alan Shimel is founder and Editor-in-Chief of Techstrong Group, a Futurum Company, and a longtime voice in cybersecurity, DevOps, and IT transformation. He’s also the frequent victim of impersonation scams, so if “he” ever texts asking for an Amazon gift card—just say no.