The new battleground for CISOs is human behavior

Attackers don’t always need a technical flaw. More often, they just trick your people. Social engineering works, and AI makes it harder to catch.”

Only about one in four cybersecurity teams are effective at collaborating with the broader business (Source: LevelBlue)

A new LevelBlue report shows how this problem is growing worldwide. Forty-one percent of organizations say they are experiencing more cyberattacks than a year ago, rising to 49% in Asia-Pacific. Employees are struggling to tell the difference between real and fake communications. Globally, 59% of respondents report this problem, and in Latin America it climbs to 66%.

The report notes that AI is reshaping social engineering tactics, making them more convincing, easier to scale, and potentially more damaging.

Culture and leadership are not keeping up

The data shows that cultural and leadership gaps are leaving organizations exposed. Only 43% of organizations say they have an effective cybersecurity culture across the company. In Latin America that number drops to 36%. Governance is not much stronger. Forty-five percent of organizations report that their governance team does not understand cyber resilience, with the number closer to half in Europe and Latin America.

Executives are also falling short. Half of organizations say leadership does not prioritize cyber resilience. Collaboration is weak as well. Just one in four cybersecurity teams are seen as highly effective at working with the rest of the business.

Training the workforce is another weak spot. Only 20% of organizations have implemented a strategy to educate employees about social engineering. Even looking ahead, training remains a low priority. Over the next 12 months, just 26% of organizations say it will be a focus. Most plan to invest instead in technical measures (41%) or leadership engagement (37%).

“Establishing a culture of cyber resilience is imperative for organizations to effectively prepare for the emergence of more sophisticated social engineering attacks,” said Theresa Lanowitz, Chief Evangelist of LevelBlue. “These attacks exploit human behavior, so without the proper investment into education and training, including cyber resilience processes and engaging cybersecurity consultants, organizations and their employees remain vulnerable.”

Organizations are not ready for new attack methods

While organizations feel somewhat prepared for traditional attacks, they are far less confident about newer ones. More than half report readiness for business email compromise or personal information theft. But only 32% say they are prepared for deepfakes, even though 44% expect to face such an attack in the next year. Just 29% are prepared for AI-powered attacks.

Spending plans tell a mixed story. Thirty-three percent of organizations are making significant investments in resilience processes across the business, and 31% in generative AI for defense. At the same time, only 13% are putting major resources into zero trust architecture.

External support is also underused. Thirty-seven percent have worked with cybersecurity consultants, and only 32% have brought in training and awareness experts. The report shows these numbers will rise only slightly over the next two years.

The findings close with four recommendations: increase leadership engagement, expand training tailored to employee roles, prepare for both established and new social engineering threats, and bring in outside expertise where needed.