Companies and organizations are investing more and more money into cyber security defenses to protect against targeted attacks and widespread malware outbreaks alike.  The good news is, the spending spree on defenses seems to be working. A recent report found retailers were spending more on cyber defenses and seeing fewer breaches. The bad news is, there’s one vulnerability that can never fully be fixed: humans.

Read: Data Breaches Down For U.S. Retailers As Concern Of Attacks Increase

While system vulnerabilities can be patched and security suites can be upgraded, people will always carry a certain level of risk, in part due to unavoidable human error and in part because they haven’t been taught proper security protocols to avoid common pitfalls. Organizations have to account for those problems and be ready to defend against them.

Falling For Phishing Attacks

Phishing attacks are growing increasingly common and can come in the form of broad, general attacks or more targeted efforts commonly referred to as spear phishing. These attacks usually come in the form of an email laced with a malicious file or link. Clicking on the link or opening the file may lead the user down the path of having their account compromised.

These types of attacks can hit in a number of ways, but the most common is via email. Occasionally a spam-like phishing attack will sneak through the email filter and into a person’s inbox, but it’s more common for phishing attacks to have the look and appearance of a genuine email from a trusted source.

In the case of a widespread phishing attack launched earlier this year, attackers used a flaw in Google apps to target Gmail users with a phony version of Google Docs. The email looked like an invitation to edit a document and came from email addresses that a user would trust.

To accomplish this, the attacker either spoofed an email address—often done by using a domain that contains letters that look like another letter at a glance, like “cl” in place of “d”—or hijacked another user’s account and spread the attack to their contacts—a task the attacker could accomplish because the fake version of Google Docs requested permission to access contacts and send emails as the victim.

These widespread attacks often aren’t all that successful; they rely on hitting as many people as possible and hoping at least a few fall victim. Targeted spear phishing attacks present much more of a threat, as they often pick just one or a few targets and come armed with intimate information about a potential victim.

Marco Cova, a senior security researcher at cyber security defense firm Lastline, warned the amount of data now available about a person—be it from social media accounts or from prior data breaches beyond a person’s control—can make it easy for attackers to personalize their attacks.

“[Attackers] merge data from multiple sources, building dossiers on potential victims, including spear phishing targets,” he said. “The information that they gather does not have to be highly confidential in order to create successful attacks. Data breaches provide a distribution hub for malware for years to come.”

These types of threats can be hard to protect against, especially when automated systems fail to catch them. Mike Gillespie, a special advisor at the International Institute of Risk & Safety Management (IIRSM) said companies should “ensure training is relevant and regular” in order to remain vigilant.

“The threat landscape changes fast,” he said. “Make sure all staff, including senior management are thoroughly trained and enabled to question emails, files or activities they feel are counter to organizational security.”

Infections That Spread Across The Network

In recent months, widespread malware have hit companies and organizations in devastating ways. The WannaCry ransomware attack and the Petya “wiper” managed to hold hostage vital information and prevent organizations from performing daily operations.

The attacks spread quickly throughout computer networks because many organizations failed to update their machines, but all it took was a single access point to be unprotected for the attack to penetrate the defenses.

These types of attacks can spread in a number of ways. Often they come in the form of an email attachment designed to look like a PDF or Microsoft Office file. When opened, the files laced with malicious code begin to run in the background to install malware and compromise a device. That can then spread through an organization’s network to other machines.

Other attacks can use more novel approaches that can be more difficult to trace to their source. Earlier this year, a document dump from WikiLeaks showed how the CIA was able to compromise air-gapped computer networks by first infecting an internet-connected machine, then waiting for a USB drive to be inserted into that computer.

Structure Security Newsweek is hosting a Structure Security event Sept. 26-27 in San Francisco. Photo: Newsweek Media Group

The malware would then infect the USB, which could then be spread to computers kept off the internet should the USB be plugged into those machines.

A similar attack could be carried out by a malicious actor in order to compromise an organization’s network, potentially doing significant damage to internal systems that contain invaluable information.

“Almost all of the organizations affected will find, when they do their incident investigation thoroughly, that one of their staff has downloaded unauthorized software, or clicked on a phishing email or attached an infected USB device to their network,” Gillespie said. “Without this human intervention, very little malware has any potency.”

When these types of attacks spread, often leading to the deletion of important files or attempts to hold data hostage in order to extort a ransom, the best defense an organization can have is backups. These allow the organization to quickly restore their systems to a state prior to the infection and return to operation as soon as possible.

Unsecure Password Practices

Passwords are an outdated form of security, but continue to be necessary. Until organizations are ready to move their entire workforce to more secure forms of authentication—an overhaul of operations that can take time to implement—passwords will continue to be an unfortunate requirement, and people will often fall short of best practices.

This is not entirely the fault of an individual. It is the impression of most people that secure passwords contain a confusing mix of characters—upper and lower case letters, symbols and numbers—that are nearly impossible for the average person to remember. In response to that belief, people will often make other mistakes that undo the supposed security of those complex logins by reusing passwords.

Read: Is Your Password Secure? Study Shows 1 In 5 Enterprise Passwords Can Be Compromised

“Humans are inherently bad at making passwords and continue to reuse passwords despite the obvious risks,” LastPass General Manager Matt Kaplan told International Business Times. He said if users aren’t using unique passwords for all online accounts, “you’re doing it wrong.”

Most people know this, but plenty still don’t abide by the practice. As a result, accounts are often at risk even when the owner thinks their password is secure.

Reusing passwords is the biggest risk, as a single breach can lead to other accounts being compromised. An attacker may pull account credentials from a major hack like LinkedIn or Yahoo breaches to find email addresses connected to a corporation or organization. The attacker can then use the password associated with the account in the leak to breach another one of the user’s accounts.

Such attacks have led to breaches like the ones that hit music social network 8tracks and restaurant search and discovery site Zomato. Those hacks, in which an attacker compromised an employee account that had access to internal data, led to breaches that affected site users as well as the company’s internal systems.

It is possible to minimize these types of breaches by embracing better practices for password safety and in some cases using more secure methods of authentication. Earlier this year, the National Institute of Standards and Technology (NIST) changed some of its recommendations for best password practices.

The government body, which sets the security standards and best practices adopted by many private sector entities including enterprise organizations, advised organizations against requiring password changes unless there is evidence a password has been compromised because requiring rotating credentials often leads to users creating less secure passwords.

This is a change from previous recommendations that advised organizations to require changing passwords every 90 days in order to defend against breaches. However, the practice was found to lead to less secure passwords as employees would simply use slightly modified versions of previous passwords.

NIST also suggested encouraging the use of passphrases — longer passwords that utilize several words — in favor of passwords that often use characters that are difficult to commit to memory. The longer phrases prove more difficult to crack for attackers and easier to remember for users.

Kaplan of LastPass advised using two-factor or multifactor authentication methods that require a secondary method of proving one’s identity beyond just username and password. “That way, even a compromised password won’t allow access to your email account,” he said.