A distracted click, a six-figure loss
The CFO of a distributor with 85 employees received an email seemingly sent by the CEO requesting the urgent transfer of R$ 127,000 to an international supplier. The email had the right name, the right tone, even the correct signature footer. The transfer was made in 14 minutes. The money was never recovered. When the IT team analyzed the incident, they found no failures in the servers, no viruses on the computers, no breaches in the firewall. The system was intact. The problem was a routine: in the company, urgent email requests were handled quickly and without a second channel of confirmation. This routine, which seemed efficient, was actually an open door.
According to the Verizon 2024 Data Breach Investigations Report, 68% of successful data breaches involve some type of non-malicious human action, meaning ordinary people doing ordinary tasks and making common mistakes. Not brilliant hackers breaking encryption, but distracted employees clicking on links, reusing passwords, or sharing files through the wrong channel. For SME managers, this statistic should be an alarm: investment in security technology, no matter how robust, only protects part of the equation. The other part, often larger, lies in the daily habits of your team.
This advisory study examines how seemingly harmless operational routines become the main vulnerabilities of companies with 10 to 500 computers, and what business leaders can do to turn organizational behavior into a layer of protection.
The problem is not where most managers look.
When it comes to cybersecurity, the instinctive reaction of many managers is to think about products: a better antivirus, a more expensive firewall, a more sophisticated monitoring system. This mindset is understandable but incomplete. According to NIST, in its 2024 report on cybersecurity culture in small and medium-sized enterprises, most mid-sized organizations invest 3 to 5 times more in technological tools than in behavioral preparation of the team. The result is predictable: well-protected systems operated by people who, without realizing it, circumvent these protections daily.
Consider five habits that Forrester, in its 2024 study The Human Factor in Cybersecurity, identifies as the most recurring and dangerous in companies of this size. First, the sharing of passwords among colleagues to "speed up" access. Second, the use of personal email or non-corporate messaging apps to send sensitive documents. Third, the absence of two-step verification, known as multi-factor authentication (MFA), in critical systems such as banks, ERPs, and management platforms. Fourth, the immediate response to emails marked as "urgent" without confirming the sender's identity through another channel. Fifth, the maintenance of active access for former employees for weeks or months after termination.
None of these five items is a technology problem. They are all process problems. And they occur with alarming frequency because they are, from the perspective of those who practice them, shortcuts to work faster. The team is not trying to sabotage the company. They are trying to get through the day. It is exactly this normality that makes these habits so dangerous: no one perceives the vulnerability because it looks like productivity.
The cost of this invisibility is concrete. According to the Verizon DBIR 2024, the average cost of a security incident caused by human error in SMEs ranges from $120,000 to $200,000 when accounting for operational disruption, investigation, remediation, customer notification, and, in many cases, regulatory fines. For a company that generates R$ 20 million per year, this can represent between 3% and 5% of annual revenue evaporating in a single event. And this calculation does not include reputational damage, which for medium-sized companies can mean the loss of strategic contracts.
The root of the problem is structural. In most SMEs, cybersecurity has never been treated as a management discipline. It has been delegated to the "IT staff" as if it were equivalent to setting up printers. When there is a security policy, it is often a document created years ago that no one reviews and that does not reflect the current operational reality. Onboarding processes for new employees rarely include security training. Offboarding processes rarely include immediate revocation of access. And between entry and exit, there is no formal mechanism to assess whether people are following safe practices in their daily routines.
The result is a growing gap between what the company believes its level of protection is and what it actually is. A 2024 Forrester survey reveals that 74% of SME leaders rate their security posture as "adequate" or "good," while independent audits identify critical behavioral vulnerabilities in 89% of those same organizations. Therefore, there is a perception gap. And this gap is where incidents occur.
Practical paths: security as a management discipline
The first necessary change is a mental framing. Cybersecurity is not a product that you buy and install. It is an organizational behavior that is built, measured, and continuously adjusted, just as a company builds a culture of quality, a culture of service, or a culture of compliance. A manager who understands this stops asking "what software should I buy?" and starts asking "which processes in my operation are exposed?".
The second change is methodological. Instead of generic annual training on digital security, which according to NIST has an effectiveness of less than 12% in long-term behavior change, the most effective approach is to incorporate security checks into existing processes. For example: include a confirmation step by phone or direct message for any financial transfer above a certain amount. Create a termination checklist that includes revocation of all digital access on the same day. Establish that sensitive documents only travel through encrypted corporate channels. These are adjustments to existing processes, not extra layers of bureaucracy.
The third change is measurement. What is not measured cannot be managed. Periodic phishing simulations, those controlled fake emails that test whether the team recognizes fraud attempts, are the most direct way to measure the level of behavioral vulnerability without seeming invasive. The results should not be used to punish, but to identify where contextual training is most needed. Companies that implement quarterly cycles of simulation and targeted training reduce the click rate on malicious emails by up to 67% over 12 months, according to data from Forrester.
Finally, the most important change is responsibility. When cybersecurity is a topic for the board, and not just the IT department, the message that spreads throughout the organization is different. Employees realize that digital security is a business priority, not a technical whim. And business priorities receive attention, resources, and oversight.
5 questions every manager should ask
1. Why do 68% of data breaches in SMEs involve human error and not technical failure? 2. What are the 5 most dangerous operational habits that companies with 10 to 500 machines repeat daily? 3. How can you measure the real level of behavioral vulnerability of your team without seeming intrusive? 4. What is the average cost of an incident caused by human error versus the investment in a security culture? 5. How can you build a security routine that works without hindering operational productivity?
1. Why do 68% of data breaches in SMEs involve human error and not technical failure?
Because attacks have evolved to exploit people, not systems. Modern security tools have made direct server breaches increasingly difficult and expensive for criminals. In contrast, convincing someone to click on a link, reveal a credential, or approve a fraudulent transaction has become easier with the use of sophisticated social engineering, even enhanced by artificial intelligence. The path of least resistance goes through human behavior.
For the manager, this means that technological protection, no matter how advanced, functions like a fortified door with the window next to it open. Investment in tools remains necessary, but it needs to be complemented by processes that reduce the surface of human error. The strategic question is not "is my technology good enough?" but rather "are my processes designed to minimize the mistakes my team will inevitably make?".
2. What are the 5 most dangerous operational habits that companies with 10 to 500 machines repeat daily?
Sharing passwords, using personal channels for work documents, ignoring multi-factor authentication, reacting to urgent emails without secondary verification, and keeping active access for former employees. Each of these habits is, in isolation, a moderate risk. Combined, as they often are, they create an environment where a single well-crafted phishing email can simultaneously compromise financial data, customer information, and intellectual property.
The most relevant point for the manager is that these habits do not arise from negligence. They arise from a lack of practical alternatives. If the password system is complicated, people share. If the corporate channel is slow, they use personal ones. If two-step verification is cumbersome, they disable it. The solution is not to prohibit, but to redesign. Offer secure paths that are as simple as the insecure paths the team already uses.
The audit of these five points can be done in a week, requires no significant investment, and produces a clear map of where the greatest exposures are. It is the most objective starting point for any behavioral security initiative.
3. How to measure the real level of behavioral vulnerability of your team without seeming invasive?
Controlled phishing simulations are the most effective and least intrusive tool. They function like digital "fire drills": simulated emails are sent to the team under realistic conditions, and the click, open, and data submission rates are recorded in an aggregated manner. No one is exposed individually. The goal is diagnosis, not punishment.
For the manager, the value lies in the objectivity of the data. Instead of believing that "the team knows how to take care of itself," you come to know that 23% of employees clicked on a simulated phishing link in the last quarter. This number is actionable: it allows you to direct training to the most vulnerable groups, adjust processes in departments with the highest risk rates, and track progress over time. Evidence-based management applied to security.
The cultural aspect is equally important. When leadership communicates that these simulations are tools for continuous improvement, not surveillance, acceptance tends to be high. The team understands that they are being prepared, not monitored. And preparation, when well conducted, generates engagement.
4. What is the average cost of an incident caused by human error versus the investment in a security culture?
The Verizon DBIR 2024 places the average cost of an incident in SMEs between $120,000 and $200,000. This includes technical response, operational disruption, legal costs, and, in cases involving personal data, regulatory notification and potential fines. In comparison, structured security culture programs, which include quarterly simulations, contextualized training, and process reviews, typically represent between 5% and 15% of that value per year.
Mathematics is simple, but strategic reasoning goes beyond it. A security incident in a small or medium-sized enterprise (SME) is not just a financial cost. It is an operational crisis that diverts the attention of management for weeks, undermines the trust of customers and partners, and in regulated sectors, can generate restrictions that affect the ability to operate. Investing in a security culture acts like active insurance: in addition to reducing the likelihood of the event, it improves the response capability when it inevitably occurs.
5. How to build a security routine that works without hindering operational productivity?
The fundamental principle is that effective security integrates into the existing workflow rather than overlapping it. Controls that compete with productivity will be circumvented. Controls that are part of the process will be followed. The difference lies in the design.
Practical examples: multi-factor authentication set up with push notification on the corporate mobile phone takes 3 seconds and eliminates one of the largest risk categories. File sharing rules set directly in the company's collaboration platform make it easier to share through the right channel than the wrong one. Embedded checklists in financial processes add 2 minutes to a transaction and can prevent six-figure losses.
For the manager, the guideline is clear: require that any security measure proposed by the IT team, whether internal or external, be accompanied by an analysis of its impact on productivity. If the control adds significant friction without a mitigation path, the team will find shortcuts. And shortcuts are exactly where vulnerabilities reside. Smart security is the kind that the team doesn't even realize they are practicing.
The cybersecurity of your company is only as strong as the least secure habit of your team. If this study raised questions about your operational routines, Zamak Technologies offers a Strategic IT Diagnosis at no cost, focused on identifying behavioral and procedural vulnerabilities before they become incidents. Talk to our team.