I’m sure you’ve noticed that whenever a cybersecurity breach makes headlines, the finger often points straight at humans. High-profile incidents like the SolarWinds attack, where human error was cited as a key factor, the recent 23andMe breach blamed on users’ weak passwords, or Uber’s MFA fatigue incident—all reinforce the narrative that humans are the weakest link in security.

But is that really fair? While there’s some truth to it, I believe it’s not the whole story.Humans Aren’t the Weakest Link—They’re Overwhelmed by Complex Technology

The real issue isn’t human incompetence. It’s the complexity of the systems we expect people to navigate. Alert fatigue, overly complicated user interfaces, and an endless stream of warnings all contribute to burnout. Combine that with limited budgets and staffing, and it’s no wonder mistakes happen.

Expecting perfect vigilance from people isn’t just unfair. It’s impossible. Cybersecurity professionals are often overwhelmed, leading to the very errors we keep blaming them for. So, how can we make their lives easier?

Let’s explore some of these incidents to understand what’s really going on.

The SolarWinds Attack: A Systemic Failure, Not Just Human Error

Back in 2020, the SolarWinds supply chain attack compromised numerous government agencies and corporations. Initially, blame fell on a weak password (“solarwinds123”) used by an intern. It was easy to point fingers at an individual, but this oversimplification masks systemic failures in supply chain security and the lack of robust mechanisms to detect sophisticated threats.

Attackers injected malicious code into SolarWinds’ Orion software, which was then distributed to thousands of customers. The complexity of detecting such a sophisticated attack was immense. Blaming one person overshadowed the need for better technology and processes to monitor and protect software supply chains.

23andMe Breach: The Password Problem Continues

Recently, genetic testing company 23andMe experienced a data breach exposing sensitive user information. The company pointed to users reusing passwords across multiple sites, allowing attackers to access accounts through credential stuffing. But let’s be honest—is it reasonable to expect every user to maintain unique, complex passwords for every service?

With the average person juggling dozens of online accounts, password management has become overwhelming. Attackers exploited this by using leaked passwords from other breaches to access 23andMe accounts. This incident highlights the limitations of relying on users to manage password security without technological support.

Uber’s MFA Fatigue Attack: When Exhaustion Takes Over

In the Uber breach, attackers exploited multi-factor authentication (MFA) fatigue by bombarding an employee with push notifications late at night. After rejecting numerous prompts, the exhausted employee eventually accepted one, giving the attackers access. This wasn’t negligence. It was human exhaustion exploited by attackers.

The attacker then posed as Uber’s IT department, further manipulating the employee. This incident shows how social engineering, and relentless technological demands can wear down even diligent individuals. Relying solely on user vigilance creates vulnerabilities that sophisticated attackers can and will exploit.

How Technology Can Help—Not Burden—Humans

Instead of piling more responsibilities onto users, we need to rethink our approach to cybersecurity.

Rethinking Authentication

Passwords are a prime example. We tell people to use complex, unique passwords, change them frequently, and never reuse them. But that’s a tall order. Managing passwords isn’t their only job, and mistakes are bound to happen.

Password managers are supposed to help, but even they aren’t foolproof. The LastPass breach raised concerns about relying solely on these tools since they can become single points of failure. Although passwords remained encrypted, the incident shook user confidence.

Embracing Passwordless Technologies

What if we eliminated passwords altogether? By adopting passwordless technologies like passkeys or biometric authentication, we can enhance security and simplify the user experience. Passkeys use public-private key cryptography, allowing users to authenticate using their devices’ built-in capabilities. It’s secure and user-friendly.

For enterprises, solutions like PureAuth offer robust, passwordless authentication that reduces user burden while strengthening security. By removing the weakest link—passwords—we can prevent attacks that rely on stolen or reused credentials.

Reducing Alert Fatigue

Cybersecurity professionals face an overwhelming number of alerts daily, many of which are false positives. This constant barrage leads to alert fatigue, where genuine threats might be missed.

Our reliance on detection and response technologies like Endpoint Detection and Response (EDR) contributes to this overload. While valuable, they shouldn’t be our only defense.

Proactive Security Measures

By adopting proactive security measures, we can reduce alerts and ease the burden on professionals. Techniques like microsegmentation compartmentalize the network, limiting threat spread and reducing the attack surface. Solutions like Xshield Enterprise Microsegmentation Platform^TM offer creation of micro-perimeters, containing breaches, protecting assets, and defending critical systems, despite an attack.

By fortifying networks from the start, we prevent threats from reaching users in the first place. This approach lessens the reliance on human vigilance and reduces the chances of error due to fatigue or complexity.

Let’s Make Technology Work for People

This Cybersecurity Awareness Month, let’s shift the narrative. Too often, we find the easy victim—users—when the real issue lies in the systems they’re forced to work with. As responsible technologists, it’s our duty to simplify their lives, not complicate them.

It’s time to stop expecting users to be perfect and start designing systems that support them better. After all, security is a collective responsibility, and technology should be an enabler, not an obstacle.