Cyber Smart Week NZ: Emphasizing the Human Factor in Security
This Cyber Smart Week, it’s timely to reflect on an uncomfortable truth: many cyber incidents originate due to human factors. Verizon’s 2025 Data Breach Investigations Report (DBIR) reviewed over 22,000 security incidents and concluded that roughly 60 percent of confirmed breaches involved a human element — deliberate or accidental. In short: employees clicking a phishing link, misconfiguring access, or failing to spot deception remain a dominant threat vector.
Those human-factor statistics feed directly into frameworks like the CIS Critical Security Controls. The CIS community, which maps its controls to real-world threat data, uses such findings to justify investing in the human side of security — not just firewalls and endpoint protection.
CIS Control 14: Security Awareness and Skills Training
Among the CIS Controls, Control 14 is dedicated entirely to training and awareness. It acknowledges that technology alone won’t prevent every attack — people need to know how to spot threats, act safely, and respond to anomalies.
Within Control 14, Safeguard 14.9— Conduct Role-Specific Security Awareness and Skills Training — is especially important. This isn’t generic “cyber hygiene for all” training. Instead, it demands that training speaks meaningfully to an individual’s role and risk exposure, such as:
- Developers get training on secure coding, input validation, and common web vulnerabilities.
- Finance teams learn to spot invoice fraud, social engineering tied to payments, and red flags in approval workflows.
- Executives and board members receive briefings on impersonation attacks, insider manipulation, and decision-making under duress.
Role-specific training closes critical gaps attackers love to exploit. When people are trained in the particular threats that affect their day-to-day work, the “human factor” becomes less of a weakness and more of an active defense.
Why Following These Controls Matters
From our work with clients, there’s a clear pattern: organisations that implement Control 14 (especially 14.9) consistently show stronger resilience. They:
- Detect phishing or internal misbehavior earlier
- Report suspicious events more freely
- Maintain higher overall vigilance, making lateral attacks harder to execute
In fact, firms that train by role tend to have fewer repeat incidents and lower remediation costs. It’s not a guarantee — security is never perfect — but it’s a demonstrable difference. The training builds the muscle memory and mindset that prevent small mistakes from cascading into full breaches.
When staff understand why certain requests are suspicious, they’re less likely to blindly comply. That intuition alone closes many attack pathways before technology even needs to respond.
National Initiatives: Strength in Collective Awareness
Beyond what individual organisations do, national programs help raise the baseline of cyber awareness. In New Zealand, Cyber Smart Week 2025 aims to bring that lift: helping citizens, small businesses, public services and families understand their online risks and defences. The government is hosting a webinar series to deliver free, practical sessions for all levels of tech comfort. Programmes like this matter because they help shift the culture. If more people understand phishing, secure passwords, and report scams, then attackers face a harder environment. What’s a “trickle-up” effect: when even non-technical users push back, the weakest links in an attack chain get stronger.
Our New Fraud Training Module: Bridging Cyber & Financial Risk
To help clients meet the requirements of Control 14 (and Safeguard 14.9), we’ve developed a specialised Fraud Risk Management module on our CyberSafeHQ platform, currently free for individual enrolment. This module does more than just teach “don’t click suspicious links.” It layers in scenarios around insider fraud, payment manipulation, vendor scams, and executive impersonation. You can also check out the latest AI video content creation from Google Veo, to help you spot deepfakes!
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 