How do you prevent one wrong click from becoming decisive?

In December 2023, an employee at Coaxis, a French IT service provider, received an email. It looked legitimate. He clicked and logged in – unwittingly giving LockBit, one of the most dangerous ransomware groups in the world, access to the network. What followed affected 350,000 companies. Not because the technology failed, but because of a misjudgment at a single moment.

The attack on Coaxis is central to the documentary Don’t Go to the Police, in which you follow the story from the inside.

The human factor as an attack vector: what the data shows

Every organization faces human moments where things can go wrong. That cannot be entirely prevented. The question is how well prepared you are for that moment.

Security Navigator 2026 data from Orange Cyberdefense shows that the human factor is playing an increasingly significant role in cyber incidents. For the first time, internal incidents form the majority: their share rose from 47% to 57% in eleven months.

These are not incidents where attackers break through firewalls. More often, attackers exploit human behavior. The most effective attack vector costs nothing and requires no technical expertise. A convincing email at the right moment can be enough.

Awareness is not enough

The standard response to phishing is security awareness training. Employees learn to recognize suspicious emails, use strong passwords, and handle links carefully. That is valuable – but not sufficient.

Knowledge does not automatically change behavior, especially under pressure. At the same time, the bar keeps rising. Thanks to AI, the barrier to creating convincing phishing emails has virtually disappeared. Even an employee who knows what phishing looks like may still click on a credible link during a busy morning.

The NCSC puts it well: organizations must be “brilliant at the basics” by building the right environment – one where reporting feels safe, where mistakes are discussed rather than punished, and where systems are designed so that a single wrong click does not immediately cause major damage.

Organizations that score highest in human resilience do not have the most training sessions. They have created a culture in which security is a shared responsibility, not an individual risk.

How do you limit the impact of a phishing attack?

No organization is completely “click-proof.” What makes the difference is what happens next. Three key questions help clarify this:

1. Does your employee know what to do after a suspicious click?

The first and most critical step after a suspicious click is reporting it – immediately, not two days later. A clear, low-threshold reporting process makes the difference between a controlled response and an incident that escalates unnoticed.

If reporting feels complicated or risky, it is often delayed – and valuable time is lost.

2. What happens in the first hour after a phishing email is opened?

Who makes which decisions? Who is informed? Which systems are isolated? Organizations that have defined this in advance are better able to respond quickly and effectively. Without that clarity, critical time is lost when it is needed most.

A compact incident response plan does not need to be an extensive playbook – but the first steps must be defined before they are needed.

3. Are your systems set up to limit the damage of a single click?

Strong access controls, segmentation, and detection help prevent one compromised account from granting immediate access to the entire network. The way your environment is configured determines how far an attacker can get once inside.

At the same time, AI is making attacks increasingly convincing and harder to detect. This requires environments that do not rely on trust based on location or network, but on continuous verification. A Zero Trust approach can help achieve this.