My Wake-Up Call to the Human Attack Surface
(Posted on Tuesday, June 3, 2025)
By Chris Smith, Author of Privacy Pandemic and Founder of DFend
In the winter of 2019, I opened my laptop and caught someone else in the act, remotely accessing my device and scraping my Salesforce contacts in real time. I did what anyone might do: I picked up my iPhone and started recording. That video became the first documented evidence of what I would later learn was a sophisticated, insider targeted cyberattack.
The point of entry? My iCloud account and Wi-Fi router.
That story, and everything that followed, became the foundation of my book, Privacy Pandemic, and led to the founding of DFend. But it’s more than a personal narrative. It’s a real-world case study in what’s quietly become cybersecurity’s most dangerous blind spot: the individual.
Despite billions spent on enterprise tools and protocols, 74% of breaches are caused by human behavior, according to IBM. Phishing clicks. Password reuse. Device sharing. Unsecured networks. These are still the front doors that attackers walk through. And yet we continue treating employees as if their security risk stops at the office door.
IBM’s research found that Chief Information Security Officers (CISOs) rank human error as their number one cybersecurity concern. So—let’s be honest—why isn’t more being done about it?
The Modern Breach Doesn’t Start With a Server
It starts with an email. A fake calendar invite. A text that looks like it came from your bank—or worse, your CEO. A deepfake video was posted in a Slack channel asking for bank credentials. (Yes, that happened to a friend of mine.)
Or it starts with a personal iCloud account linked to a work-issued MacBook Pro. That single connection, innocuous to most, gave my attackers lateral access to my business life—documents, credentials, even control of my laptop.
This wasn’t a fluke. It’s the new normal.
In 2024 alone, over 3,200 data breaches were reported. More than a billion user records were compromised. The estimated global cost of cybercrime: $10.5 trillion annually in 2025.
Cybercriminals have adapted to the way we live and work fluidly, across personal and professional identities, across devices, across locations.
Unfortunately, our security models have not.
Identity Is the New Perimeter
According to JumpCloud, 87% of companies depend on employees using personal smartphones to access business apps. In the U.S., 82% of organizations now have a Bring Your Own Device (BYOD) program in place. And according to industry estimates, allowing BYOD saves organizations approximately $350 per employee per year.
The logic is clear: lower hardware costs, more flexibility, greater employee satisfaction.
But here’s the tradeoff: every mixed-use device becomes a bridge between corporate assets and personal vulnerabilities.
When someone’s digital identity credentials are breached, attackers gain a foothold on the same devices employees use for work. That includes access to:
- Saved corporate credentials in browsers
- Sensitive work emails
- Client contact details, documents and IP
From there, the breach doesn’t just compromise the individual. It compromises the company.
Despite this, most organizations do not offer identity protection or proactive digital risk monitoring to their employees. No cybersecurity training. No 24/7 threat detection. No behavior-based alerts. No early warning system.
Why not?
Some say it’s not the company’s responsibility. Others claim it’s too personal, too hard to scale, or too expensive.
But that’s a false economy. If BYOD saves $350 per employee annually, and you invest $120 per employee for real-time threat detection, you’re still netting $230 in savings per user, while reducing enterprise risk.
And when the average cost of a breach now exceeds $4.5 million (IBM), the return on that prevention investment becomes more than compelling—it becomes necessary.
The question is no longer whether identity is the new perimeter.
The question is whether we’re willing to defend it.
Why We Protect Servers but Not People
Ask a CISO why the traffic between cloud environments and enterprise tools is monitored 24/7, and you’ll get a direct answer: it’s too risky not to.
But ask why human users, who are statistically far more likely to be the source of a breach, aren’t offered similar always-on protection, and more than likely, you’ll get a response like this.
“That’s personal.” “That’s not our data.” “That’s a user problem.”
The truth? It’s everyone’s problem now. The moment a user’s device touches your network, it carries their entire digital footprint with it—good habits, bad passwords, and all.
And yet, we remain stuck in a reactive mindset—chasing incidents after the fact instead of preventing them.
That’s the same gap that allowed the attack on me to unfold undetected.
From Human Error to Human Resilience
Here’s what I’ve come to believe: if people are the new perimeter, they must become the new priority.
It’s time to move from an infrastructure-centric to a people-centric security model:
- One that protects employees continuously, 24/7.
- One that monitors digital behavior for threats, just like we do for APIs and endpoints.
- One that offers real-time guidance the moment something seems off.
That’s what I set out to build with DFend: a digital safety platform designed to protect individuals, not just enterprises. Because when you protect the person, you protect the company, too.
The Real Pandemic
We are in the middle of a silent pandemic—not of pathogens, but of phishing, password reuse, social engineering, insider threat, and neglected digital hygiene.
The cure isn’t another breach response team or forensic vendor. The cure is prevention. Proactive, continuous, user-first protection.
This is the human attack surface. And unless we start treating people as the perimeter they’ve become, we’ll continue paying the price—in breaches, in trust, and lives disrupted.
Stay Safe,
Chris
Privacy Pandemic: https://www.amazon.com/Privacy-Pandemic-Cybercriminals-Privacy_and-Policymakers/dp/1645433935/ref=tmm_hrd_swatch_0?_encoding=UTF8&qid=1701181551&sr=8-1