AI threats get the spotlight, but it’s human error that puts businesses at risk

COMMENTARY: Even with all the attacks security teams face every day, a quieter, but equally costly danger continues to grow inside the enterprise: human error.

Hard-working, well-meaning employees have long been the most vulnerable area in any cybersecurity program, and today’s AI-generated phishing attacks make mistakes like clicking on malicious links more likely than ever.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

It’s no surprise that investment in security awareness training has boomed, with the market expected to surpass $10 billion by 2027.

But it’s not just social engineering attacks that cause missteps. Other forms of human error — like unwittingly sending an email to the wrong recipient — are seemingly innocuous, but introduce massive risk.

We’ve all done it. We write an email while distracted, or moving quickly. We start typing the contact’s name into the recipient field, and accept the auto-complete without a second thought. It’s a natural reflex for many of us, but it’s exactly the point where convenience turns into risk.

Our team recently discovered that nearly all (98%) security leaders consider misdirected emails a serious threat — even higher than malware or credential theft — with 96% experiencing data loss or exposure from a misdirected email just in the past year.

These are not minor disruptions. They result in real business harm: financial remediation costs, regulatory penalties, and erosion of customer trust. And unlike phishing or malware, these incidents are coming from trusted employees using completely valid credentials and sending legitimate messages — just to the wrong person.

Despite massive investment in inbound defenses, the outbound side of email risk remains largely unmonitored and unmanaged. As a result, organizations are protecting the front door while leaving the back door wide open.

Legacy data loss prevention (DLP) tools and traditional email security platforms were engineered for yesterday’s threats: external attackers, malicious payloads, and policy-violating content. What they were not designed to do was detect when an employee simply selects the wrong “John Smith” from the autocomplete list.

Because of this architectural blind spot, 47% of teams learn about misdirected emails from the unintended recipient — not from their security tools.

If our team doesn’t know human-driven incidents are happening, they can’t fix them — and they can’t prevent the next one. Without visibility into the everyday communication behaviors of employees, organizations operate in the dark, discovering breaches only after sensitive data has already reached the wrong hands.

Rethink what “secure” means with behavioral AI

There are a few steps security leaders can take to encourage their employees to stay more vigilant about who they are sending emails to, such as offering clear guidelines for verifying external contacts and enabling email authentication warnings in the inbox. That being said, user education doesn’t always mitigate human error. That’s why it’s imperative to have a strong last line of defense.

Today, security leaders need technology that understands human behavior. Behavioral AI brings context — who people normally communicate with, what types of data they typically send, and when something looks out of character.

We can already see this shift gaining support in the industry, with 97% of security pros believing that behavioral AI could prevent accidental data loss before it occurs.

Instead of punishing employees for mistakes after the fact, behavioral AI can step in at the moment of action — nudging a user to double-check a recipient or flagging that sensitive data has been sent somewhere unusual. We don’t want to conduct surveillance, we want support the company. It’s giving people a safety net when they’re moving fast, multitasking, or simply fatigued.

For decades, enterprises have equated “secure” with “protected from attackers.” But inboxes don’t just attract external adversaries — they’re also where internal data loss begins. Organizations must evolve from purely defensive postures to proactive, human-aware protection.

Don’t let human error sink the ship

AI-powered attacks may feel like the storm overhead, but human error represents the unnoticed leak below deck — quiet, constant, and capable of sinking even the most well-defended organization. Businesses must recognize that their employees aren’t just potential points of compromise: they’re also points of vulnerability that deserve protection.

By applying behavioral AI to fight adversaries and understand how humans communicate, enterprises can transform human error from an inevitable liability into a manageable risk.

Mick Leach, Field CISO, Abnormal AI

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.