Five Cybersecurity Myths Enterprises Must Leave Behind in 2025

Enterprises spent years relying on familiar assumptions about what drives user risk, yet the events of this past year showed how quickly those beliefs can fall out of date. Several long-held ideas no longer match the reality security teams faced, and the lessons of 2025 made it clear that these assumptions can no longer guide modern defense.

The most significant shifts in 2025 had little to do with new malware families or advanced technical exploits. Instead, they occurred on the user layer as attackers found and exploited new vulnerabilities in human error. As a result, many of the traditional indicators organizations once trusted to gauge readiness proved to be unreliable predictors of how prepared their workforce actually is.

As enterprises prepare for 2026, several assumptions that once guided security programs can no longer be relied on. The following myths stand out as the most important to retire, and each one reveals a critical shift in how modern attacks succeed.

The User Risk Myths Holding Enterprises Back

Myth #1: Legacy Security Awareness Training Protects Employees Against Social Engineering

Social engineering remains one of the fastest and most reliable ways for attackers to reach employees, and legacy Security Awareness Training claims to prevent it. Yet these programs rely on annual modules, generic content, and completion scores that measure participation rather than readiness. The assumption is that exposing users to enough training will meaningfully reduce phishing risk, despite blanket approaches that fail to engage employees or reflect how attacks actually unfold.

The truth: Regular security training is ineffective and inefficient at changing behavior or reducing breach risk. A large study at UC San Diego Health, which tracked nearly 20,000 employees across ten simulated phishing attacks, found no meaningful relationship between how recently an employee completed training and whether they fell for an attack. Failure rates stayed essentially constant regardless of when the training was taken, showing that legacy SAT does not prepare employees for real social engineering attempts.

Myth #2: Every Employee Poses the Same Level of Cyber Risk

Many organizations still operate as if every employee is equally likely to introduce risk, which leads to uniform training, uniform testing, and uniform controls across the entire workforce. This belief treats user risk as uniform rather than behavioral and obscures the fact that only a small portion of employees consistently trigger the patterns attackers exploit. The result is an inefficient model that overburdens low-risk users, wastes security resources, and fails to concentrate attention where it is most urgently needed.

The truth: Risk is not evenly distributed across the enterprise. In most organizations, about 5% of users drive the majority of measurable security risk, while roughly 70% consistently operate with low-risk behaviors. These differences matter. High-risk users require more targeted testing, adaptive training, and closer oversight, while low-risk users benefit from reduced friction and fewer interruptions. Effective security programs tailor remediation to user behavior and context rather than treating everyone the same. Focusing controls where they have the greatest impact improves resilience, reduces noise, and helps organizations strengthen their defenses without overburdening the entire workforce.

Myth # 3: Most Insider Threats Come From Malicious Employees

Executives and boards still picture insiders as employees who intentionally cause harm. Yet recent incidents show that many significant insider threats were driven by employees who were socially engineered, impersonated, or manipulated into acting against their own organization. Groups like Scattered Spider demonstrated how effective this approach can be by turning trusted employees into unintentional facilitators for access, data, and operational movement.

The truth: Malicious insiders exist, but they are not the most common source of insider risk. The majority of insider incidents stem from negligent or unintentional behavior, along with compromised accounts that attackers use to operate as legitimate employees. Modern adversaries rely on behavioral manipulation, trusted communication channels, and subtle impersonation to guide ordinary users into actions that escalate risk. With insider threats costing organizations an average of $17.4 million per year, overlooking this reality leads to both blind spots and costly consequences.

Myth #4: Email Is the Only Channel That Matters for Social Engineering Defense

Email has been the focus of enterprise social engineering defenses for decades, with 85% of CISOs still ranking it as their top social engineering concern. Yet attacker behavior has moved far beyond the inbox. Modern campaigns now span every channel employees use to communicate. Channels like encrypted apps, SMS, voice, collaboration tools, and social media all carry weaker oversight, fewer controls, and significantly lower user readiness, making them attractive environments for adversaries who want to avoid detection.

The truth: Email is only one piece of a much larger social engineering ecosystem. Smishing attacks alone have surged 328% in recent years and consistently show higher and faster open rates than email-based lures, and attackers apply the same tactics across other mobile-first channels. According to our 2025 Global Insider Threat Intelligence Report, 0% of surveyed enterprises simulate attacks in encrypted messaging apps, even though 64% reported confirmed or suspected social engineering attempts on platforms like WhatsApp, Signal, Telegram, or Messenger. Attackers combine channels to build credibility, escalate urgency, and guide employees toward unsafe actions, often reinforcing an email with a text, call, or collaboration ping that feels routine and internal. Treating email as the only channel that matters creates critical blind spots across the rest of the enterprise communication stack.

Myth #5: Large-Scale Social Engineering Campaigns Require Sophisticated Attackers

For many years, large-scale social engineering attacks were associated with advanced threat groups that had the resources, time, and expertise to execute coordinated and convincing campaigns. That is no longer the case. AI-generated content, automated tooling, and dark web marketplaces have made high-quality impersonation and multi-channel outreach accessible far beyond skilled actors.

The truth: Sophistication is no longer a prerequisite for high-impact social engineering. Dark web marketplaces now offer ready-made phishing kits, templates, and automation tools that inexperienced attackers can deploy with minimal effort. Researchers report a roughly 50% rise in these kits since 2021, with many selling for about $25.00 or available open source. Deepfake tool trading on underground forums surged 223% in 2024, making voice and video impersonation available to anyone willing to download a package. With AI accelerating every stage of the attack chain, what once required coordinated threat groups and specialized skill sets is now accessible to attackers who can download a kit, run a script, or follow a step-by-step online guide.

Retiring Myths and Rebuilding a Stronger Model for User Security

One reality did remain consistent over the past year: 90% of breaches still start with human error, and as attackers expand into new channels, refine their methods, and use AI to personalize every attack, the user layer is becoming an even more decisive point of failure. As enterprises prepare for 2026, moving beyond these familiar beliefs is essential to reducing the likelihood that a single moment of user vulnerability becomes the start of a major incident.

At Dune Security, we are building the foundational agentic platform in user security to prevent insider threats and social engineering attacks with automated, behavior-driven defense. By aligning protection to employee behavior and the way modern attacks actually unfold, we give organizations continuous visibility, targeted intervention, and a more resilient model for managing user risk.