60% of Breaches Still Involve a Human. Training Cuts Phishing by 86%.
Every year, the cybersecurity industry invests billions in technology: next-generation firewalls, AI-powered detection, zero-trust architectures, extended detection and response. And every year, the data tells the same story: the human element remains the most exploited vulnerability in the enterprise. In 2025, that story continued, but so did a quieter, more encouraging one about what happens when organisations invest in their people
The Persistent Human Factor
The Verizon 2025 DBIR found that the human element was a factor in approximately 60% of all breaches. Social engineering accounted for 36% of all security incidents. The median time for someone to fall for a phishing email was less than 60 seconds.
The scale in our region:
- 34% of global social engineering incidents targeted Asia-Pacific
- 30.5% year-over-year increase in phishing attacks across Australia, New Zealand, Japan, and Singapore
- During Singapore's Exercise SG Ready 2025, over 30% of phishing simulation emails were opened and 17% of malicious links were clicked
- Business email compromise (BEC) generated USD $2.7 billion in reported losses globally
The Emerging Sophistication Gap
What makes the human factor more dangerous in 2025 is the sophistication enabled by AI. ClickFix fake CAPTCHA attacks, which trick users into executing malicious commands, saw a 1,450% spike from H2 2024 to H1 2025. AI-generated phishing emails achieve click rates of 54%, compared to 12% for traditional campaigns.
The attackers have raised their game. Defenders need to raise theirs, not just with technology, but with people.
The Case for Investment in Awareness
The data on effectiveness is unambiguous:
- Organisations with ongoing training reduced phishing click rates to as low as 1.5%
- Comprehensive training programmes cut phishing incidents by 86%
- These numbers represent one of the highest returns on investment available in cybersecurity
At Blue Island Security, our Phishing Defence and Awareness platform combines simulated phishing campaigns with continuous education, not as an annual compliance exercise, but as a core component of organisational resilience.
People aren't just the weakest link. With the right investment, they become the strongest defence.
This is Part 6 of an 8-part series. The full 2025 Cybersecurity Year in Review from Blue Island Security will be available for download soon.
Your Biggest Cyber Risk Might Not Be Yours.
The Supply Chain Threat That Doubled Overnight, Third-party breaches doubled in 2025. 30% of all breaches now involve a supply chain partner.
Datadog Partnership
We built Blue Island Group on a simple promise, enterprise-grade capabilities for Asia-Pacific organisations without the complexity. Today, that promise just got stronger.
3.4 Million Cybersecurity Professionals Short
The Asia-Pacific cybersecurity workforce gap hit 3.4 million in 2025, just as regulators tightened requirements across the region.
Get in touch
Do you have questions, suggestions, or want to discuss how we can help protect your business?
We’re always ready to talk. Please fill out the form below and our team will get back to you shortly.