Cybersecurity: The Real Risk Is Human – Italian Data Reveals Why

The human factor: why cybersecurity incidents start with people, not technology

When we talk about cybersecurity, most business owners picture firewalls, antivirus software, and encrypted connections. Yet the data tells a very different story. In Italy, as across Europe, the single greatest cybersecurity risk is not a piece of malware, it is a person clicking the wrong link, reusing a weak password, or sending sensitive data to the wrong recipient. Human error in cybersecurity accounts for roughly 61% of all security incidents in Italian organisations, a figure that should prompt every SMB leader to rethink where their security budget is actually going.

This is not an abstract problem reserved for large enterprises. Small and medium businesses across the EU are increasingly targeted precisely because attackers know their employees are less likely to have received structured security awareness training. Understanding this reality is the first step toward closing the gap.

Italy’s cybersecurity paradox: high awareness, misallocated investment

Italian companies consistently rank cybersecurity among their top business priorities. Surveys by the Politecnico di Milano’s Cybersecurity & Data Protection Observatory confirm that spending on information security has grown year on year, reaching over €2.15 billion in 2023. Yet the vast majority of that budget flows toward technological solutions, endpoint protection, network monitoring, cloud security tools, while investment in people remains disproportionately low.

The result is a dangerous imbalance. Organisations deploy sophisticated platforms but leave the humans operating them without adequate preparation. According to industry reports, only a fraction of Italian SMBs run continuous cybersecurity training programmes. Many limit awareness efforts to a single onboarding session or an annual compliance checkbox exercise that employees forget within weeks.

This pattern is not unique to Italy. The European Union Agency for Cybersecurity (ENISA) has repeatedly highlighted the skills and awareness gap as one of the continent’s most pressing vulnerabilities. But the Italian data is especially stark: with 61% of incidents traced back to human mistakes, the country sits above the European average for people-driven breaches.

What “human error” actually looks like in practice

The phrase “human error” can sound vague. In day-to-day operations, it takes very concrete forms that any business owner will recognise.

Phishing and social engineering

Phishing remains the number-one attack vector globally, and Italian businesses are no exception. Attackers craft emails that impersonate suppliers, banks, or even colleagues, tricking employees into revealing credentials or authorising fraudulent payments. The Clusit 2024 report noted that social engineering techniques were involved in a significant share of successful attacks against Italian targets, with phishing emails growing more convincing thanks to generative AI tools now available to criminals.

Credential mismanagement

Weak, reused, or shared passwords continue to plague organisations of every size. When an employee uses the same password for a corporate application and a personal shopping site that later suffers a breach, attackers gain an easy entry point. Credential stuffing attacks, where stolen username-password pairs are tested against corporate logins, succeed far more often than most business owners assume.

Misconfiguration and accidental data exposure

Not every incident involves a malicious outsider. Employees inadvertently misconfigure cloud storage, send files to the wrong email address, or grant excessive access permissions. These mistakes can expose customer data, trigger GDPR breach notification obligations, and result in regulatory fines that hit SMBs particularly hard relative to their revenue.

Shadow IT and unapproved tools

When employees adopt unapproved applications, personal file-sharing services, messaging apps, or AI tools, without IT oversight, they create blind spots that no firewall can cover. Shadow IT is especially prevalent in smaller companies where formal software governance processes may not exist.

Why SMBs are disproportionately exposed

Large enterprises can afford dedicated security operations centres, red-team exercises, and full-time chief information security officers. Most European SMBs cannot. This resource gap has real consequences.

First, smaller organisations typically lack the specialised cybersecurity professionals needed to design and maintain a layered defence. Italy faces a well-documented shortage of qualified cybersecurity experts, estimated at tens of thousands of unfilled positions nationwide, and SMBs struggle to compete with larger employers for the talent that does exist.

Second, the attack surface of a small business is often deceptively large. Cloud services, remote work endpoints, third-party integrations, and IoT devices all create entry points that must be monitored and secured. Without a structured approach to IT infrastructure management, many of these surfaces remain unprotected.

Third, supply chain pressure is increasing. Larger clients and partners, especially those subject to the NIS2 directive, are beginning to require that their SMB suppliers demonstrate minimum cybersecurity standards. Businesses that cannot show evidence of adequate security practices, including personnel training, risk losing contracts and market access. You can learn more about how NIS2 compliance affects your organisation and what steps to take now.

Building a people-first cybersecurity strategy

Closing the human risk gap does not require enormous budgets. It requires a shift in mindset: treating cybersecurity training as an ongoing operational process rather than a one-time project.

Make training continuous and contextual

Annual awareness sessions are better than nothing, but they are not enough. Effective programmes deliver short, frequent training modules, ideally monthly, tailored to the specific threats each department faces. Finance teams need to recognise invoice fraud schemes. Sales staff need to understand the risks of sharing data through unofficial channels. IT administrators need to stay current on misconfiguration risks.

Simulated phishing campaigns, where employees receive realistic but harmless test emails, have proven to be one of the most effective ways to build lasting vigilance. Organisations that run regular simulations consistently see click rates on real phishing emails drop by 60% or more within the first year.

Establish clear policies and make them easy to follow

Cybersecurity policies should be written in plain language, easily accessible, and integrated into daily workflows. If the secure way of doing something is harder than the insecure way, employees will take the shortcut. Password managers, single sign-on solutions, and multi-factor authentication should be standard tools, not optional extras.

Create a culture of reporting, not blame

One of the most damaging aspects of human error is the delay between the mistake and its discovery. Employees who fear punishment for clicking a suspicious link are less likely to report it immediately. Organisations that foster a blame-free reporting culture detect and contain incidents significantly faster, often before any real damage occurs.

Leverage external expertise

For SMBs that lack in-house security specialists, partnering with a managed security provider can bridge the gap effectively. External teams bring the tools, the threat intelligence, and the expertise to monitor environments continuously and respond to incidents quickly. Discover how our cybersecurity services are designed specifically to support businesses that need enterprise-grade protection without enterprise-level complexity.

The regulatory dimension: NIS2 and GDPR raise the stakes

European regulation is making the human factor harder to ignore. The NIS2 directive, which EU member states were required to transpose into national law by October 2024, explicitly mandates that organisations in covered sectors implement cybersecurity awareness training for all staff, including management. Non-compliance can result in significant administrative fines.

GDPR, already in force since 2018, holds organisations accountable for data breaches regardless of whether the cause was a sophisticated attack or a simple employee mistake. Italian data protection authorities have not hesitated to issue fines to companies, including small ones, where inadequate training contributed to a breach.

Together, these regulations send a clear message: investing in technology alone is no longer sufficient. Regulators expect to see documented evidence that people have been trained, that risks have been assessed, and that organisations have taken reasonable steps to prevent human error.

From risk to resilience: practical next steps for business leaders

The data from Italy is a wake-up call, but it is also an opportunity. Organisations that address the human factor now will not only reduce their incident rate, they will also gain a competitive advantage as supply chain security requirements tighten and customers become more discerning about who they trust with their data.

Here is a practical starting point for any SMB leader reading this:

1. Audit your current state. When was the last time your employees received cybersecurity training? Is it documented? Could you demonstrate compliance to a regulator or a client?
2. Assess your most likely human risks. Which departments handle sensitive data? Who has administrative access? Where are the weakest links?
3. Implement a continuous training programme. Start small if necessary, even monthly five-minute modules make a measurable difference over time.
4. Deploy basic technical safeguards that reduce human error. Multi-factor authentication, password managers, and email filtering are cost-effective measures that compensate for inevitable mistakes.
5. Review your incident response plan. Does it account for human-caused incidents? Is there a clear, blame-free reporting channel?

The 61% statistic is not a condemnation of employees. It is a reflection of systems that have not yet adapted to the reality that people are both the greatest vulnerability and the strongest potential defence. Investing in your team’s awareness and preparedness is not a cost, it is one of the highest-return security investments an SMB can make.