Derryn Bentley, head of new business development at Info.Blueprint. The most sophisticated technical defences in the world can be undone by a single person. According to the 2023 Verizon Data Breach Investigations Report, 74% of all breaches involve the human element, whether through simple error, social engineering, or stolen credentials. People are the most exposed attack surface.This is not a criticism of employees. People are often busy and are naturally trusting, which are the exact traits attackers exploit.However, cyber security is currently suffering from a lack of honest, uncomfortable conversations about these traits and how they affect our ability to protect information more effectively.The human element in modern threatsCyber threats have evolved from random attempts into professional, organised operations. Advanced persistent threats are perhaps the most sobering example. These attackers are patient, often staying inside a network for months to map out systems.The 2020 SolarWinds attack saw intruders go undetected for nine months, affecting 18 000 organisations. The entry point was not a technical failure, but human involvement.Ransomware has also become highly targeted. In the 2023 MGM Resorts breach, attackers did not exploit a software bug to get in. They simply made a phone call. By posing as an employee and talking their way through a password reset with the helpdesk, they caused R1.8 billion ($100 million) in disruption.The difficult task for security professionals is making security real to people without terrifying them.Currently, there isn’t a security tool on the market that can stop an attacker who convincingly pretends to be someone else.The difficult task for security professionals is making security real to people without terrifying them. I became close friends with an ethical hacker in 2018. That relationship changed my view on security and the world of hacking.I no longer had this image of cyber criminals from movies where a man in a black hoodie “hacked the mainframe” from his mother’s basement. The world of security became real, tangible and ever-present.Think of the recent Strava data leak. First, a French soldier inadvertently gave away his warship’s location, then some 500 British soldiers at sites across the UK did the same. While they may be military people, they’re also human beings, doing human things like recording their daily workouts on a fitness app.One of the most effective ways to get leadership to take cyber security seriously is to show them the reality of their own exposure. Searching for an executive's details on the dark web (if you’re a security professional who can safely do so) and presenting what is found can change the tone of a boardroom conversation instantly.While you shouldn't encourage staff to browse the dark web themselves, tools like Have I Been Pwned can show employees how their personal data is already exposed in previous breaches.Getting the basics rightThe goal of a security strategy should not be to build an impenetrable fortress. Instead, the objective is to be a harder target than the business next door. Cyber criminals, like most burglars, look for the easiest path. If your "wall" is slightly higher than your neighbour’s, the attacker will likely move on.Improving cyber security posture does not always require massive capital investment. It requires doing the basics right and maintaining them consistently.Access control: Use multi-factor authentication across all e-mail and cloud platforms. Ensure staff only have access to what they need for their specific roles.Patching: Apply security updates immediately. Critical vulnerabilities left unaddressed for months are an open invitation to hackers.Backups: Keep regular, encrypted backups stored separately from your main network. A backup is only useful if you have tested that it actually restores correctly.Incident readiness: Have a plan. Know who is responsible for what and which legal obligations, such as POPIA notifications, apply if data is compromised.Vulnerability scans and pen testing.The point is to get the basics right and educate your people. Make it interesting and make it real for them.The cost of silenceThe average global cost of a data breach has risen to over R80 million ($4.45 million). Beyond the immediate financial hit, businesses face regulatory fines, legal fees and long-term reputational damage.Security is very much like insurance. No one wants to pay the premiums or deal with the paperwork until they have had an accident. By then, it is too late.