Quick answer up front: if someone at your company clicks a phishing email and half the network ends up encrypted, the click wasn’t the problem. The problem was that a single click could encrypt half the network. The person is the last point in a chain that should have held in several places earlier. Almost nobody talks about those places.
The “human error” excuse
Few claims come up as reliably in security presentations as the assertion that nearly all incidents come down to human error. Nobody ever names a solid source for it — the percentage behind it has been wandering from slide to slide, unattributed, for years. Yet the line sounds convincing, and it’s convenient: it sells awareness subscriptions and shifts the responsibility onto the person at the screen. What it hides is the real question. Why could a single misclick do that much damage in the first place?
An employee who clicks a link is not a security incident. It’s a Tuesday morning. People click links, that’s their job. A system where that click is enough to harvest credentials, move sideways through the network and encrypt the backups along the way is the incident.
What punitive phishing does
The usual reflex is the phishing simulation with a pillory: whoever clicks gets a reprimand or a mandatory retraining. The result is rarely more security. It’s a team that has learned to hide mistakes.
That’s exactly what you don’t want. The most expensive hour in an attack is the one where someone has noticed something is wrong but doesn’t dare report it. Punishing people for clicks trains them into silence. You need the opposite: people who call within thirty seconds and say “I think I messed up.”
The system comes first
Before you spend a cent on simulations, make sure a single mistake doesn’t cost the whole house:
- Turn on MFA for everything reachable from outside. Then a stolen password on its own is worthless — all the more so when team passwords are managed properly instead of living in a spreadsheet.
- Put a mail filter in front that catches most phishing emails before anyone even sees them.
- Grant few rights per account. Someone who only needs their three folders should only reach their three folders.
- Keep tested backups out of reach, so an encrypted network stays annoying instead of turning existential.
None of these ask a human to be flawless. That’s the whole point. Security that depends on nobody ever clicking the wrong link isn’t security, it’s a bet. Incidentally, this is almost exactly the list your cyber insurer asks about in the application — two birds, one system.
Awareness yes, but as help
So there’s no misunderstanding: training makes sense. People should know what a good forgery looks like and who to turn to. But as help, not as a threat, and as a complement to working technology, not a replacement for it. The human is the last line of defence. You don’t build a house whose only wall is the last one.
Want to know whether a single click could really do that much damage at your company? Get in touch — in an independent consultation we’ll look at the chain, not the scapegoat.