← Back to the blog

May 20, 2026 · 3 min read

Stop Blaming Your Employees

'Human error' doesn't explain a phishing incident, it hides broken technology. Why the system has to come first, not the person at the screen.

AA
Anton Anders
IT consultant & developer

Quick answer up front: if someone at your company clicks a phishing email and half the network ends up encrypted, the click wasn’t the problem. The problem was that a single click could encrypt half the network. The person is the last point in a chain that should have held in several places earlier. Almost nobody talks about those places.

The “human error” excuse

Few claims come up as reliably in security presentations as the assertion that nearly all incidents come down to human error. Nobody ever names a solid source for it — the percentage behind it has been wandering from slide to slide, unattributed, for years. Yet the line sounds convincing, and it’s convenient: it sells awareness subscriptions and shifts the responsibility onto the person at the screen. What it hides is the real question. Why could a single misclick do that much damage in the first place?

An employee who clicks a link is not a security incident. It’s a Tuesday morning. People click links, that’s their job. A system where that click is enough to harvest credentials, move sideways through the network and encrypt the backups along the way is the incident.

What punitive phishing does

The usual reflex is the phishing simulation with a pillory: whoever clicks gets a reprimand or a mandatory retraining. The result is rarely more security. It’s a team that has learned to hide mistakes.

That’s exactly what you don’t want. The most expensive hour in an attack is the one where someone has noticed something is wrong but doesn’t dare report it. Punishing people for clicks trains them into silence. You need the opposite: people who call within thirty seconds and say “I think I messed up.”

The system comes first

Before you spend a cent on simulations, make sure a single mistake doesn’t cost the whole house:

  • Turn on MFA for everything reachable from outside. Then a stolen password on its own is worthless — all the more so when team passwords are managed properly instead of living in a spreadsheet.
  • Put a mail filter in front that catches most phishing emails before anyone even sees them.
  • Grant few rights per account. Someone who only needs their three folders should only reach their three folders.
  • Keep tested backups out of reach, so an encrypted network stays annoying instead of turning existential.

None of these ask a human to be flawless. That’s the whole point. Security that depends on nobody ever clicking the wrong link isn’t security, it’s a bet. Incidentally, this is almost exactly the list your cyber insurer asks about in the application — two birds, one system.

Awareness yes, but as help

So there’s no misunderstanding: training makes sense. People should know what a good forgery looks like and who to turn to. But as help, not as a threat, and as a complement to working technology, not a replacement for it. The human is the last line of defence. You don’t build a house whose only wall is the last one.


Want to know whether a single click could really do that much damage at your company? Get in touch — in an independent consultation we’ll look at the chain, not the scapegoat.

Frequently asked questions

Is human error really the main cause of security incidents? +

The percentages usually quoted for that claim are unattributed. A click on a phishing email only turns into major damage when the technology and permissions behind it fail. The real cause is a system that lets a single mistake escalate.

What helps more than awareness training alone? +

MFA on everything reachable from outside, a mail filter, minimal rights per account and tested backups out of reach. These measures keep working even when someone clicks — training complements them but doesn't replace them.

What does a blame-free incident culture actually change? +

People report suspicious activity immediately instead of hiding it. The most expensive phase of an attack is the one where someone has noticed something and stays silent. Rewarding reports instead of punishing clicks shortens exactly that phase.

Sounds like your situation?

Let’s talk about it — free and with no strings attached.