The Perfect Storm: Three Forces That Made Human Factor Your Biggest Vulnerability in 2025

An Unprecedented Convergence

In the last 18 months, three independent forces converged to create an unprecedented situation in cybersecurity:

Generative artificial intelligence democratized attacks that previously required specialized teams

Massive high-profile breaches generated board-level awareness about human risk

Cyber insurance became an economic catalyst forcing action

Each of these forces alone would be significant. All three together create what can be described as a perfect storm for human factor in cybersecurity.

Force 1: AI Democratized Sophisticated Attacks

Three years ago, executing a convincing vishing attack required: a team of operators trained in social engineering, extensive manual research on the target, and the ability to improvise in real time during the call.

Today, any attacker with internet access can:

Clone a voice with 3 seconds of audio

Tools like ElevenLabs allow generating a cloned voice indistinguishable from the original using only 3 seconds of sample audio. That audio can be extracted from a LinkedIn video, a podcast, a recorded presentation, or even a voice message.

The result: phone calls where the CFO's "voice" requests urgent transfers, using the exact tone, cadence, and speech patterns of the real executive.

Automatically generate contextualized pretexts

Language models can analyze a company's public communications (press releases, social media, presentations) and generate specific pretexts for each organization.

"Hi Maria, this is the CFO. I need you to process an urgent transfer related to the Chile expansion project we mentioned on Friday's call. The vendor is pushing and I need this out before close."

Every element of that message can be automatically generated by analyzing public information.

The numbers confirm democratization

According to Deloitte, vishing attacks increased 442% in 2024.

This increase does not reflect that attackers became more numerous. It reflects that the barrier to entry dropped dramatically. Attacks that previously required specialized teams can now be executed by individuals with limited resources.

Force 2: Boards Woke Up

For years, human risk was a CISO concern that rarely reached the board agenda. The topic was too technical, too abstract, too difficult to quantify.

The 2024 cases changed this.

Snowflake: Over $300 million in losses. Over 165 enterprise customers affected including Ticketmaster and Santander. The vector was not an exotic technical vulnerability. It was a remote contractor without MFA who gave up their credentials.

MGM Resorts: Over $100 million in losses. Las Vegas operations paralyzed for 10 days. The vector was a call to the helpdesk where the agent granted access after "verification" using public LinkedIn information.

These cases have something in common that CEOs and boards can immediately understand: they were not technical failures. They were legitimate employees deceived who used valid credentials during normal hours, passing all technical defenses without generating a single alert.

Zero Trust, MFA, DLP: all these defenses assume that "the user acts correctly without coercion or deception." When that assumption fails, technical defenses do not help.

The shift in executive conversation

For the first time in corporate history, "the human layer" is a board priority, not just a CISO concern.

Before, the CISO had to convince the board that human risk mattered. Now, the board actively asks what is being done about it.

This shift created budget and urgency that did not exist before. It also created an expectation: the CISO must now demonstrate they are effectively mitigating this risk, not just training employees.

Force 3: Cyber Insurance as Catalyst

The third force is economic and perhaps the most immediate: cyber insurance.

In 2024, insurers drastically adjusted their requirements. They no longer accept "we completed annual training" as evidence of preparedness. They demand monthly evidence of continuous and documented preparedness.

Requirements updated in 2024:

92% of insurers globally now require documented training as a coverage condition. Premiums increase between 150% and 400% post-breach.

In Colombia, 89% of insurers updated their requirements between August and October 2024 to reject coverage or multiply premiums 3 to 5 times if the company cannot demonstrate "documented monthly employee preparedness."

The three main insurers (Seguros Bolívar, SURA, Liberty) representing 78% of the market updated their requirements demanding "monthly evidence of awareness testing" as a mandatory condition.

A concrete case:

A cooperative bank with 280 employees in Medellín faced this reality in October 2024:

Before:

• Premium: $72M COP/year
• Coverage: $8,000M COP

After:

• Premium: $196M COP/year (+272%)
• Coverage: $2,000M COP (-75%)

The reason: they only had "annual course with 82% completion" instead of the monthly simulations with granular reports that the insurer required.

The CISO contacted three vendors in 48 hours. KnowBe4 quoted $96M COP/year with 6 weeks implementation. Proofpoint did not respond. The bank was left without viable options in the available time.

The economic catalyst

Unlike "cybersecurity awareness" which can be ignored, the insurance impact is immediate and quantifiable.

Companies that cannot produce the reports insurers require face a binary decision: they pay multiples of their previous premium for a fraction of coverage, or they go without coverage.

This is a catalyst the CFO immediately understands. And a catalyst the CISO can use to justify investment in real human risk management.

Accelerated Vulnerability

These three forces converge in a context where exposure is growing rapidly.

Compromised credentials: 156 million Colombian credentials circulate on the dark web, with 41% growth in 12 months (versus 30% average in LATAM).

Attack volume: Kaspersky reported 150 million phishing attempts targeting Colombia in the last 12 months (August 2024).

Employee behavior: 74% of Colombian employees admit to sharing work passwords according to Microsoft Digital Defense Report 2024.

Organizational preparedness: 87% of Colombian SMBs with 100 to 500 employees have no CISO or dedicated security team. Only 31% of medium-sized companies in Colombia have "some type of security training" versus 54% average in LATAM.

When an attacker combines compromised credentials with password-sharing employees in organizations without a CISO, average compromise time drops to 4 to 6 hours. Technical defenses only detect damage after it has already occurred.

Why Technical Defenses Are Not Enough

The fundamental assumption of technical tools is that "the user acts correctly without coercion or deception."

When a Finance Manager receives a call with their CFO's cloned voice requesting an urgent transfer with specific context from a real project, the security system will see:

• Legitimate user
• Correctly authenticated
• Appropriate permissions
• Usual device
• Normal business hours

All defenses give green light because technically everything is correct.

The only way to prevent compromise is for the employee to recognize and report the attack before delivering credentials, approving permissions, or authorizing transfers.

This requires something technical defenses cannot provide: that the human at the critical moment makes the right decision.

What This Means for the CISO

The three converging forces create both pressure and opportunity.

The pressure:

• The board now asks about human risk specifically
• The insurer demands documented monthly evidence
• Attackers have more sophisticated and accessible tools
• Time to act is limited (insurance renewal does not wait)

The opportunity:

• Budget exists that did not exist before
• Executive urgency exists that did not exist before
• Solutions exist that measure real risk instead of training activity
• The CISO who demonstrates measurable results will have unprecedented credibility

Questions the Board Will Ask

In the next 12 months, boards will ask:

How many of our employees have compromised credentials on the dark web right now?

Which specific employees are vulnerable to what types of attack?

What evidence do we have that our preparedness works? (Not completed the course. Demonstrated resistance under simulated attack.)

What reports are we delivering to the insurer and are they sufficient?

How do we compare to cases like MGM and Snowflake in terms of preparedness?

The CISO who can answer these questions with specific and defensible data will have a completely different position than the CISO who can only report "78% completed training."

The Window of Opportunity

The convergence of these three forces creates a specific window of opportunity.

For the first time there is:

• Executive awareness of the problem
• Budget available to address it
• Economic catalyst (insurance) forcing action
• Technology that allows measuring what was previously impossible to measure

CISOs who recognize this window and act in the next 12 to 18 months will have the most significant defensive advantage of the decade.

Those who continue with the previous model (generic annual training, activity metrics instead of risk metrics) will face questions they cannot answer from increasingly informed boards and increasingly demanding insurers.

The perfect storm has already arrived. The question is what you are going to do about it.