The Enemy Within: Why People Are Your Weakest Security Link
Last year, a multinational firm in Hong Kong made headlines when a clerk was tricked into wiring nearly $25 million to fraudsters after joining a video call with what looked — and sounded — like his company’s CFO and other execs. But the entire meeting was a deepfake, crafted with AI-generated voices and video.
He didn’t realize it was a scam until after the money was gone.
This incident wasn’t an isolated failure — it was one of countless examples of how attackers are bypassing technical defenses by targeting the human layer.
Why? Because the most sophisticated operating system in the world also contains the greatest number of bugs: the human brain. And thanks to AI, those bugs just got a lot easier to exploit.
Regardless of the most superhuman efforts, people simply can’t be patched. You can require employees to complete endless security awareness training. You can deploy wave after wave of security tools. But eventually, someone will make a mistake.
Humans are the most common weakness in any security strategy, and cyberattackers know this. Fortunately, Zero Trust offers a solution.
Your biggest security risk is human nature
Businesses and government agencies have critical data and infrastructures to protect. But there’s often a disconnect between how employees and their organizations think about cybersecurity.
Employees assume cybersecurity is a business-level problem that gets addressed beyond their individual role. Or they believe the cybersecurity problem is just unsolvable. I’ve even heard some say that they’re fine with hackers accessing their devices because they have nothing to hide — not realizing that a breach on their device often means access to the rest of the network.
For bad actors, employees’ bad security behavior is just an easy stepping stone to higher-level and more lucrative network access.
Even employees who do take their organization’s cybersecurity seriously, will inevitably make mistakes. Overlooked patches, missed updates, misconfigurations — the possibility for error is endless.
Your own team may all follow the highest security practices, but do you trust teams or agencies outside your own? What about the security practices of those who connect to your infrastructure from the outside, such as contractors, suppliers, auditors, or developers?
People make mistakes. Zero Trust prepares for it.
Mistakes will happen. And bad actors will take advantage of them.
A Zero Trust architecture assumes that one workload will eventually be breached, despite all best efforts at preventing it. While prevention is crucial, it’s not enough to fight against today’s complex, ever-changing threat landscape.
That’s why organizations need to turn their focus towards containing breaches. When a breach happens, a Zero Trust strategy stops breaches from spreading through the network, accessing critical data and assets, and causing lasting harm.
Humans should be treated as just as vulnerable — if not more —than any workload. Whether it’s a careless mistake or a deliberate act, we have to assume a bad decision will happen. The goal is to isolate the impact when it does, stopping it from spreading across the network.
Zero Trust means that nothing should be trusted, whether digital or human. Both need to be considered in a complete Zero Trust strategy.
Zero Trust: your backup plan for human error
People make mistakes. Systems fail. And attackers are more than happy to exploit both.
That’s why Zero Trust isn’t just a nice-to-have — it’s a must. It’s not about expecting perfection and preparing for reality.
By assuming breach, isolating impact, and containing the fallout, you stop a single mistake from becoming a full-blown disaster.
Zero Trust isn’t just a security model. It’s a mindset. And it’s time we apply it to everything, from workloads to users. Because trust is a vulnerability you can’t afford.