How do you prevent one wrong click from becoming decisive?

In December 2023, an employee of Coaxis, a French IT service provider, received an email. The email looked legitimate. He clicked and logged in. In doing so, he unknowingly gave LockBit, one of the most dangerous ransomware groups in the world, access to the network. What followed affected 350,000 companies. Not because the technology failed, but because a misjudgment was made at a single moment.

Humans as an attack vector: what the numbers say

Every organisation faces human moments where things can go wrong. That cannot be completely prevented. The question is how well you are prepared for that moment.

Security Navigator 2026 data from Orange Cyberdefense shows that the human factor plays an increasingly large role in cyber incidents. For the first time, internal incidents constitute the majority: their share rose from 47% to 57% in eleven months.

These are not incidents where attackers break through firewalls. More often, they involve situations where attackers exploit human behavior. The most effective attack vector costs nothing and requires no technical expertise. A persuasive email at the right moment can be sufficient.

Awareness is not enough

The standard response to phishing is security awareness training. Employees learn to recognize suspicious emails, use strong passwords, and handle links with caution. That is valuable , but it is not sufficient.

Knowledge does not automatically change behavior, certainly not under pressure. At the same time,The bar is being raised higher and higher. Thanks to AI, the barrier to creating a convincing phishing email has virtually disappeared. Even an employee who knows what phishing looks like can still click on a convincing link on a busy morning.

The NCSC puts it aptly: organizations must be " brilliant at the basics" by building the right environment. An environment where reporting feels safe, where mistakes are discussed rather than punished, and where systems are set up so that one wrong click does not immediately have major consequences.

The organizations that score best on human resilience do not have the most training. They have created a culture in which security is a shared responsibility, not an individual risk.

How do you limit the damage from a phishing attack?

No organisation is completely “click-proof.” What makes the difference is what happens afterward. Three questions that help to clarify this:

1. Does your employee know what to do after a suspicious tip?

The first and most critical step after a suspicious click is reporting. Not in two days, but within the first few minutes. A clear, accessible reporting process makes the difference between a controlled response and an incident that escalates unnoticed.

If reporting feels complicated or risky, it is often postponed and precious time is lost.

2. What happens in the first hour after a phishing email is opened?

Who makes which decision? Who is informed? Which systems are isolated? Organizations that have established this in advance are better able to act quickly and decisively. When that clarity is lacking, valuable time is lost when it is needed most.

A compact incident response plan doesn't have to be an extensive script, but the first steps must be established before they are needed. Read here how to lay the foundation for your incident response plan in four weeks .

3. Are your systems set up to limit the damage of a single click?

Strong access control, segmentation, and detection help prevent a single compromised account from granting direct access to the entire network. The configuration of your environment determines how far an attacker can get once inside.

At the same time, AI is making attacks increasingly credible and harder to detect. This calls for environments that do not rely on trust based on location or network, but on continuous verification. A Zero Trust approach can help with this. Read more about a Zero Trust approach .