Before You Blame That Employee for Clicking the Link, Read This

May 5, 2026

We have sat in enough security reviews to know how this goes. The CISO presents the threat landscape. The board nods, asks about compliance status and whether the last audit findings have been closed. The meeting ends. And everyone goes back to clicking links in emails they probably should not have opened.

After years of watching organizations invest heavily in technology while underinvesting in their people, we can tell you it is not getting better on its own. IBM's Cost of a Data Breach report puts human error as a contributing factor in over 90% of cyber incidents. In Africa, where digital adoption is moving faster than security literacy can keep up, that number is not abstract. It shows up in real incidents, real losses, and real organizations that thought their technology stack had them covered.

It did not.

Your Employees Are Not the Weakest Link. They Are the Untrained Link.

We want to push back on something. The "weakest link" framing has always bothered us because it treats human behavior as the problem to be managed rather than the symptom of a deeper failure. Yes, people make mistakes. But look at what we are actually asking them to do.

They get a password policy on their first day. Maybe an annual compliance module that nobody enjoys. The occasional email from IT telling them not to click suspicious links. And then they are expected to identify a spear phishing email crafted by someone who spent two hours researching their LinkedIn profile, their manager's name, and a company announcement from last week.

That is not a fair fight.

KnowBe4's 2025 research found that without proper training, about 34% of employees will click a phishing link. With consistent, well designed training that number falls below 5%. Think about that gap for a moment. You are not dealing with a people problem. You are dealing with a preparation problem, and it is entirely solvable.

How Attackers Actually Get In

Phishing is still the most common entry point, but not the lazy spray and pray kind. The attacks that actually succeed are personal. An attacker will research a specific employee, pull their role from LinkedIn, reference a real project or a real internal name, and send something that looks completely legitimate. Across the continent, where business happens across WhatsApp, SMS, and email all at once, that attack surface is wider than most organizations realize.

Business Email Compromise is another one that keeps coming up. It is essentially pretexting, where an attacker builds a believable enough story to get someone to transfer money, share credentials, or open access. It cost organizations across Africa hundreds of millions of dollars in 2025. No malware involved. No sophisticated exploit. Just a well written message and an employee who had no reason to doubt it.

Then there are insider threats, which people tend to underestimate. We wrote about this in our ransomware piece, but criminal groups are now actively recruiting through gig platforms and social media. An insider does not have to be angry or disgruntled. Sometimes it is just someone who needed money and got a message that seemed harmless enough.

And honestly, some of the most damaging incidents we have seen were not malicious at all. Misconfigured cloud storage. A file sent to the wrong distribution list. A personal device on an unsecured network. These things happen constantly in organizations that have not made security part of how people work day to day.

AI Is Changing the Game and Not in Our Favor

The phishing emails of a few years ago were fairly easy to spot once you knew what to look for. Odd phrasing, generic greetings, a sense of urgency that felt slightly off. The emails arriving now are different. They reference real projects. They match writing styles. They arrive at the right time of day from what looks like the right person.

Voice cloning makes it worse. A threat actor can replicate someone's voice from a few seconds of audio. That is enough for a convincing voice note on WhatsApp asking a finance officer to process an urgent payment before end of business. We have seen how quickly that scenario plays out in organizations where employees have never been told it is even possible.

Nigeria's Securities and Exchange Commission has already raised the alarm on AI-generated investment scams hitting consumers directly. The same tools are now being pointed inward, at employees who have no frame of reference for what a synthetic voice or a deepfake video call even looks like, let alone how to respond to one.

Telling people to "verify before you click" does not cut it anymore when the verification itself can be faked.

Why Most Awareness Programs Do Not Actually Work

Here is something the industry does not talk about enough. Most security awareness programs are not built to change behavior. They are built to produce a completion certificate that satisfies an auditor.

A once a year module does not rewire how someone responds under pressure. It just does not. People finish the quiz, get their score, and move on. Two weeks later they are back to doing exactly what they were doing before.

What actually works is different. It is short, regular, and relevant to the specific role someone is in. A finance team member needs different training than someone in operations. And it has to feel safe to fail, because if employees are afraid of being blamed or embarrassed for clicking something, they will not report it. That silence is where breaches grow.

None of this lands without leadership taking it seriously. When executives treat security culture as a strategic priority rather than something they delegate to IT, the whole organization responds differently. That part is not optional.

What Needs to Change in 2026

The first thing is to stop measuring the wrong things. A 94% module completion rate tells you that people clicked through a presentation. A phishing simulation click rate that dropped from 28% to 9% over six months tells you that behavior is actually shifting. Those are not the same metric and they should not be treated as such.

Insider threat also needs a different conversation inside most organizations. Detection tools matter but they are reactive. The more durable protection is a workplace where people feel fairly compensated, genuinely valued, and safe enough to raise a concern before it becomes an incident. That is a culture question as much as a security one.

And for organizations running training built around Western corporate norms, it is worth asking honestly whether it is landing. The social engineering tactics being used on the continent are specific. They exploit local communication habits, familiar platforms, and the kind of trust that exists in high context cultures. Training that ignores that context will not change how people behave when it counts.

The Bottom Line

No technology solves this on its own. Firewalls do not stop an employee who has genuinely been convinced they are doing the right thing. Encryption does not help when someone with legitimate access walks out with the data. Detection tools are valuable but they are reactive by nature.

The organizations that will hold up in 2026 are the ones treating human risk with the same seriousness they give to their technical controls. The ones that do not will keep finding that their most expensive breaches started with something embarrassingly simple.

Securing people is not a one-time intervention. Policies do not change behavior and training checklists do not build judgment. What does is a sustained, deliberate effort to make security part of how an organization thinks and operates every day. Idero's Security Awareness and Human Risk Management program is built to do exactly that, not just reduce click rates, but create a culture where security becomes second nature. Get in touch to learn how we can help