Human-Centric Cyber Risk: Practical Steps for IT Managers
People remain the primary attack surface in modern cybersecurity. Attackers combine psychological manipulation, supply-chain weaknesses, and technical exploits to turn ordinary user behavior and vendor trust into large-scale breaches. This article explains why the human factor matters, illustrates common attack patterns, and gives practical, prioritized steps IT managers can implement immediately.
Why the human factor matters
Human decisions and behaviors—clicking a link, reusing credentials, approving a vendor update, or failing to revoke access—are the entry points attacker’s exploit. Social engineering compromised third parties, and insider actions convert single errors into systemic incidents that affect operations, reputation, and regulatory exposure.
Common human-centric attack patterns
Phishing and targeted social engineering: Highly personalized emails and messages trick users into revealing credentials or executing actions that bypass technical controls.
Supply-chain and vendor compromise: Vulnerabilities or malicious updates in third-party products can propagate to many organizations because administrators and users implicitly trust vendor processes.
Insider misuse and offboarding gaps: Delayed deprovisioning, shared credentials, and insufficient privileged-account monitoring enable current or former employees to exfiltrate or sabotage data.
Ransomware and extortion: Attackers combine social pressure with technical encryption and data theft to coerce payment; human panic and urgency increase the likelihood of payment or poor response choices.
Watering-hole and sector targeting: Compromised websites or partner systems used by a sector’s workforce can infect many victims through routine browsing or trusted workflows.
Recent illustrative incidents
Recent high-profile incidents have shown how human and vendor trust amplify impact. Compromises of widely used file-transfer platforms, attacks on service providers that support healthcare and financial operations, and persistent ransomware campaigns demonstrate that attackers exploit human trust, vendor relationships, and process gaps to scale harm across sectors.
Practical, prioritized steps for IT managers
Mandatory role-based training and phishing simulations
Run continuous, realistic phishing exercises; measure click and remediation rates; tailor training to roles with privileged access.
Vendor and supply-chain risk management
Maintain an inventory of critical third parties; require MFA, secure configuration attestations, and rapid patching SLAs; monitor vendor telemetry and change notifications.
Automated offboarding and least-privilege access
Integrate HR systems with identity management to ensure immediate deprovisioning; enforce least-privilege and just-in-time access for administrators.
Network segmentation and immutable backups
Segment networks to limit lateral movement; maintain offline or immutable backups and test recovery procedures regularly.
Privileged-account monitoring and threat hunting
Monitor privileged activity, use session recording where appropriate, and run proactive threat hunting to detect anomalous behavior early.
Incident response and tabletop exercises
Conduct cross-functional tabletop exercises that include IT, HR, legal, communications, and business units; update playbooks based on lessons learned.
OT and critical-infrastructure visibility
For organizations with operational technology, extend monitoring and segmentation to OT environments and collaborate with sector ISACs and regulators.
Culture and reporting incentives
Encourage reporting of suspicious activity without penalty; reward employees who identify and escalate threats; make security part of performance conversations.
Quick 30-Day Priorities for Immediate Impact
Enforce MFA for all administrative and remote access.
Run a focused phishing campaign for high-risk roles and remediate failures.
Automate deprovisioning for recent terminations and contractors.
Verify backups are immutable and perform a restore test.
Audit vendor inventory and confirm critical vendors use MFA and timely patching.
Measuring progress
Track metrics that reflect human risk reduction: phishing click rates, time to deprovision after HR events, percentage of privileged accounts using MFA, mean time to detect anomalous privileged activity, and recovery time objective for critical systems.
Closing
Human-centric risk is not solved by technology alone. IT managers must combine continuous education, automated identity and access controls, vendor governance, and cross-functional processes to reduce exposure. Treat people as both potential risk vectors and active defenders—empower them with clear procedures, timely tools, and a culture that rewards vigilance.
Reference:
Mandiant. (2024). M-Trends 2024 special report (Executive edition). Google Cloud Security. https://services.google.com/fh/files/misc/m-trends-2024-executive-edition.pdf
Simas, Z. (2023, July 18). Unpacking the MOVEit breach: Statistics and analysis. Emsisoft. https://www.emsisoft.com/en/blog/44123/unpacking-the-moveit-breach-statistics-andanalysis/
Page, C. (2023, August 25). MOVEit, the biggest hack of the year, by the numbers. TechCrunch. https://techcrunch.com/2023/08/25/moveit-mass-hack-by-the-numbers/
American Hospital Association. (2025). Change Healthcare cyberattack underscores urgent need to strengthen cyber preparedness [PDF]. AHA. https://www.aha.org/system/files/media/file/2025/02/Change-Healthcare-Cyberattack-
Underscores-Urgent-Need-to-Strengthen-Cyber-Preparedness.pdf Fox, A. (2025, August 6). New numbers from the Change Healthcare data breach: 193 million affected. Healthcare IT News. https://www.healthcareitnews.com/news/newnumbers-
change-healthcare-data-breach-193-million-affected Sophos. (2024, April 30). The State of Ransomware 2024. Sophos. https://news.sophos.com/en-us/2024/04/30/the-state-of-ransomware-2024/
Cybersecurity and Infrastructure Security Agency. (n.d.). Stop Ransomware. CISA. https://www.cisa.gov/stopransomware
Federal Bureau of Investigation; Cybersecurity and Infrastructure Security Agency; Australian Signals Directorate. (2025, June 4). #StopRansomware: Play Ransomware (Joint advisory). IC3. https://www.ic3.gov/CSA/2025/250604.pdf
