Updated on: March 20, 2026
Cybersecurity conversations often focus on the obvious threats. Ransomware. Nation state actors. Zero day exploits. Yet some of the most damaging risks are the ones organizations quietly assume are already handled. They believe the firewall is enough. They trust the cloud provider. They think antivirus equals security. They assume insider threats are under control.
At SafetyDetectives, we regularly speak with security leaders, founders, and incident response experts who see a very different reality behind the scenes. The common thread is not a lack of tools. It is misplaced confidence. Silos between HR and security. Default credentials left unchanged. Legacy systems that appear stable but quietly accumulate risk. Small businesses are convinced they are too small to matter. Analysts are overwhelmed by alerts while attackers exploit predictable human behavior.
In this roundup, leading experts share the internal blind spots, overlooked psychological factors, and false assumptions that continue to expose organizations of every size. Their insights reveal a consistent pattern: the greatest vulnerabilities are rarely exotic or highly technical. More often, they stem from habits, culture, and the comforting illusion that someone else has already taken care of the problem.
How are attackers exploiting remote work setups in ways many businesses still underestimate?
Remote workers are often assumed to be just as protected as they are in the office. In reality, the home environment is usually far less secure.
Most people use personal Wi-Fi routers that haven’t been properly configured or updated. Employees may also use personal devices for work or connect from coffee shops, hotels, or shared networks. All of this creates more opportunities for attackers.
Cybercriminals know this and often target remote workers with phishing emails designed to steal their login credentials. Once attackers have a valid username and password, they can often log into company systems without triggering alarms, because they appear to be legitimate users.
Another issue is the number of cloud apps employees connect to without IT teams fully tracking them. Each new app or service can become another entry point if it isn’t properly secured.
To reduce these risks, companies should enforce strong multi-factor authentication, monitor their external attack surface, and regularly test their systems for weaknesses.
Remote work itself isn’t the problem. The real issue is when organizations assume their security practices automatically extend beyond the office walls.
Learn more at www.CybersecurityMadeEasy.com
Terry Cutler, Founder & CEO of Cyology Labs
What internal security risk do organizations assume is “handled” but actually isn’t?
Most organisations boast robust cybersecurity defences: firewalls, encryption, behaviour analytics, and access controls, creating the illusion that insider threats are well managed. HR adds background checks, onboarding, and termination processes. Yet insider risk remains one of the most underestimated vulnerabilities, not due to failing technology but to profound organisational silos. The core problem is the disconnect between Human Resources and Information Security. HR holds vital human context: employee disgruntlement, financial stress, performance issues, disciplinary matters, and personal crises. Security tracks technical indicators such as anomalous logins, unusual data transfers, and access deviations. Neither side shares information systematically, leaving both blind to the whole picture.
Insider threats are fundamentally human problems, yet organisations treat them primarily as technical ones. Research shows that effective mitigation requires integrating HR, IT, compliance, and leadership (Alghamdi et al., 2025; Ussher-Eke, 2025). Early behavioural warning signs, disgruntlement, isolation, or hostile intent are often visible to HR or managers long before security tools flag malicious activity (Jones, 2024). Without collaboration, these signals go unheeded, allowing threats to escalate undetected. HR typically engages only reactively during incidents or terminations, missing opportunities for continuous risk assessment. Security lacks the context needed to distinguish legitimate activity from genuine threats, resulting in false positives or missed threats. Until organisations bridge this HR-security divide through structured information sharing and joint threat assessment, insider risk will remain invisible and unmanaged. It is not merely a technology challenge; it demands fundamental organisational redesign.
Citations:
Jones, L. (2024). Unveiling human factors: Aligning facets of cybersecurity leadership, insider threats, and arsonist attributes to reduce cyber risk. SocioEconomic Challenges, 8(2), 44–63. doi:10.61093/sec.8(2).44-63.2024.
Alghamdi, Dr. A., Niazi, M., Cordeiro, L. C., Humayun, M., & Stewart, A. (2025). Mitigating insider threats: Insights from software security experts for process improvement and risk reduction. Proceedings of the 2025 29th International Conference on Evaluation and Assessment in Software Engineering Companion, 41–48. doi:10.1145/3727967.3756845.
Diana Ussher-Eke. (2025). The human firewall: How HR shapes cybersecurity culture. International Journal of Science and Research Archive, 16(2), 505–514. doi:10.30574/ijsra.2025.16.2.2349.
Garry Bergin, PC, MSc, CSyP, CPP, MSI, SRMCP, CTSP, F.Sec.I.I, FSyI, F.ISRM
Which misconfiguration or default setting do attackers most commonly exploit, and why is it still so widespread? Additionally, how do legacy systems silently increase risk, even when they appear to be functioning normally?
As someone who’s been turning over rocks in cybersecurity since founding Lazarus Alliance back in 2000, I can tell you this isn’t rocket science (Rock Sience), it’s basic hygiene that too many organizations still ignore. Attackers love default credentials because they’re predictable, public, and require zero creativity to exploit. Think about it: manufacturers ship routers, IoT devices, databases, and even enterprise software with usernames like “admin” and passwords like “admin” or “password123.” These are documented online, often right in the user manual or on forums. A simple automated scan finds thousands of exposed devices in minutes. It’s the cybersecurity equivalent of leaving your front door unlocked with the key under the mat labeled “Key.” It’s not a technology problem; it’s a people and process problem. Organizations deploy systems fast to meet business needs: spin up a new SaaS tool, plug in an IoT sensor farm, rush a cloud migration. Security hardening gets deprioritized because “it works out of the box.” Convenience wins over caution.
Legacy systems are like ticking time bombs in many enterprises. At Lazarus Alliance, we’ve audited countless environments where these old workhorses keep humming along, processing data and supporting operations without a hitch. But that’s the danger: their apparent stability masks escalating vulnerabilities that attackers exploit. Don’t wait for symptoms; be proactive. Start with a full asset inventory to identify legacy elements, then conduct vulnerability assessments and red team simulations to expose silent gaps. Segment them from critical networks, virtualize where possible, or migrate to cloud equivalents with built-in security. At Lazarus Alliance, our Proactive Cybersecurity® approach includes continuous monitoring and compliance audits to turn these liabilities into managed assets. Remember, if it’s old and unsupported, it’s not “stable”; it’s a risk multiplier.
Michael D. Peters, CEO of Lazarus Alliance
What cybersecurity threat affects small businesses the most but is often dismissed as a “big enterprise problem”?
Small businesses almost always underestimate the threats they face, and there are two misconceptions that are particularly damaging.
The first is the belief that small organizations are unlikely to be targeted by nation state threat actors. That simply isn’t true, and it hasn’t been true since at least 2019–2020. When you look at the targeting strategies of threat actors like Salt Typhoon and others, and combine that with what we see from ransomware groups, initial access brokers, and the broader cybercriminal ecosystem, it’s clear that small businesses are very much in the crosshairs. They are facing adversaries with the means, motive, and methods to do real harm.
The second issue is what I’d describe as the “security poverty mindset” (closely related to the “security poverty line” where organizations lack the resources to effectively address cybersecurity), where small businesses dismiss cybersecurity as “the domain of the big enterprise.” Not only is the incorrect, it can often turn into a kind of security nihilism – nothing gets done, because leaders believe nothing meaningful can be done.
In reality, there are always practical, high‑impact steps that organizations of any size can take. Focusing on the simple, foundational controls first, and prioritizing the most impactful risk‑reduction measures, is both achievable and essential for small businesses.
Casey Ellis, Founder of Bugcrowd
What role does human psychology play in overlooked cyber threats, and how can companies realistically mitigate it? Also, Which emerging attack vector do you think will cause the most surprise incidents over the next 12-24 months?
Cybersecurity is as much about psychology as technology. Human tendencies like inattentional blindness, expectation bias, and alert fatigue shape which threats are seen, ignored, or rationalized away. Inattentional blindness means analysts can miss obvious malicious activity when their focus is elsewhere, similar to the “Invisible Gorilla” experiment where viewers overlook a person in a gorilla suit while counting passes. Expectation bias leads people to fit data to prior assumptions: a login from an unusual location may be dismissed because “the user travels a lot” – until that assumption fails. Constant overload from noisy alerts then creates fatigue, stress, and burnout, further degrading judgment. Attackers understand this and are creative to exploit human behavior.
Companies can realistically mitigate this by automating wherever possible: use AI-driven correlation, enrichment, and triage so humans handle fewer, higher quality alerts. Complement this with targeted awareness training on cognitive biases, realistic simulations, and a culture that encourages speaking up about uncertainty instead of blaming individuals for misses. Use humans wisely – they are both the most valuable and the most fragile line of defense.
My view is that the most surprising incidents in the next 12–24 months will not necessarily be the largest in scale, but the ones that mark a milestone in the evolution of malicious botnets and could become among the most impactful. The recent Moltbook experiment has introduced a new kind of threat that may ultimately outperform earlier botnets such as Mirai or Emotet in both capability and damage potential. What happens if millions of AI agents are taken over by a single actor? The capabilities of such an AI botnet could exceed those of traditional botnets by several orders of magnitude, and its financial impact would, too. A self‑learning, self‑optimizing network that automates vulnerability exploitation, malware distribution, and coordinated attacks on critical infrastructure would far exceed defenders’ capabilities today and, hopefully, will remain only a nightmare scenario.
Markus Ludwig, CEO of ticura
Matt Moore, Head of Client Strategy and Success at ticura,
What common security “best practice” gives organizations a false sense of protection?
Cloud gives a false sense of protection.
Many businesses think:
“We’re in the cloud. We’re safe.”
But the cloud provider only protects their system, not how you use it.
You’re still responsible for:
- Who is logging in
- Logins from public or unsecured Wi-Fi
- Third-party apps connected to your system
- Over-permissioned employees
- Shared files exposed by mistake
And if the cloud provider is breached, misconfigured, or exploited — your data and your clients’ data go with it.
This is the main reason you need to have cybersecurity, so you’re sure that you, your team and clients are safe.
A Very Common Insurance Myth.
We work in many independent insurance agencies and agents and constantly find that they think an antivirus covers the functions of cybersecurity.
Antivirus only protects devices from known malware.
It does not stop:
- Phishing
- Account takeovers
- Email fraud
- Credential theft
- Cloud breaches
Most businesses handle sensitive data every day. That data moves through email, cloud systems, and remote devices.
Today’s protection requires:
- 24/7 monitoring
- Email security
- Layered user protection
- A real response plan
Antivirus is one tool.
Cybersecurity is an ongoing operation.
Daniel Metcalf, Co-founder & President at CyberFin
