Humans Are The Perpetual Zero-Day – Ep 532 

Welcome to the digital Twilight Zone, where AI is evolving faster than your weekend plans, and people are still out here using “password123!” like it’s a life hack. This episode digs into the “Oh, Behave!” cybersecurity behavior report and asks the big questions: Why do we keep doing dumb things online? Can training catch up with tech? And why are Gen Zs so confident while also being the most hacked? Spoiler: it’s equal parts fascinating and terrifying.

In this episode:

Humans Are The Perpetual Zero-Day – Ep 532

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

Humans Are The Perpetual Zero-Day

Oh Behave! The Annual Cybersecurity Attitudes and Behaviors Report 2025

Annual National Cybersecurity Alliance + CybSafe study of 7,000 people across 7 countries; fifth year running.

Oh, Behave!’ The report proves the real vulnerability still has a pulse.

Opening points in the report are painfully familiar to us. All are conversations we have had over the past few months – not sure if we really needed this much confirmation though.

If 2024 was the year of ‘Can AI really do that?’, then 2025 is the year of ‘Should AI be able to do that?’

Shadow AI is creeping into workplaces, with half of employees feeding sensitive data into unsanctioned tools. Meanwhile, training lumbers along miles behind adoption.

In other words, the tech might be shiny, but human behavior is still the risk frontier.

I think it is awesome that they take an approach similar to HICP by focusing on 5 critical security behavior types:

1. Ensuring password hygiene
   1. Password creation habits – specifically, password length, use of personal information, and single dictionary word
   2. Using separate passwords
   3. Password management techniques
2. Using multi-factor authentication (MFA)
3. Installing the latest software updates
4. Backing up data
5. Checking messages for signs of phishing and reporting them

Key Findings

AI is still a concern

• 65% of respondents believe AI will make it easier for criminals to pose as someone else.
• Despite the surge in AI usage, 58% of users report receiving no training on security or privacy risks.

Cybercrime is hitting wallets harder than ever

• 44% of respondents reported experiencing cybercrime that led to data or monetary loss, a 9% increase from 2024.
• Younger generations were hit hardest: 59% of Gen Z and 56% of Millennials reported losses from scams.

Security habits show ongoing weaknesses

• 62% of respondents report regularly creating unique passwords, a decline from 2024, while 41% never use a password manager.
• While multi-factor authentication is widely recognized (77%), only 41% use it regularly.
• 56% of participants update their software frequently, though only 47% consistently back up important data.

AI the gift that will keep on giving

• 65 percent now use AI; safeguards lag. “Adoption has exploded.”
• More than half of employed AI users have not had AI-risk training (52 percent).
• 43 percent of workers admit sharing sensitive work info with AI tools without employer knowledge (shadow AI).

Shadow AI: what people are pasting into chatbots

• Of those who shared, 50 percent shared internal documents; 44 percent shared customer/client data; 34 percent proprietary code.
• Generational split: 48 percent of Gen Z/Millennials shared sensitive work info vs 30 percent Gen X, 20 percent Boomers.

Deepfakes are growing

• 34 percent received a deepfake voice/video scam call; among those targeted, 42 percent lost money or data.
• Who’s impersonated most? Family (41 percent), then friends (32 percent), banks (28 percent).
• Emotional fallout of cyber scams is real: stress 51 percent, anger 49 percent, anxiety 42 percent.

Impacts of cybercrime

Around two-thirds of participants (68%) express worry, an increase since 2024, and particularly pronounced among younger generations (70% of Millennials). Yet only 41% consider themselves likely targets. This perception has shifted away from older generations toward younger ones, suggesting a growing disconnect between risk awareness and self-perceived vulnerability.

For the first time, our data shows the scale of deepfake scams. Over a third (34%) of participants have experienced deepfake scam calls, with younger age groups again being more frequently targeted.

Cybercrime victimization often causes significant emotional distress, including stress (51%), anger (49%), and anxiety (42%).

That list of problems applies to you personally, your coworkers and to your patients or clients.

Training: still the homework nobody has time for

This is the quote from the report that concerns me the most:

That was in the opening but further down in the training discussion they made it more specific:

The bigger issue here is impact. Most attendees (83%) said training was useful, but fewer than half actually changed their behavior as a result. Only 47% said they became better at spotting phishing, 42% started using MFA, and 40% adopted strong passwords.

We constantly make the point that training is a constant requirement. So many do the same thing over and over along with annual training. That may get the information out there but does it make a difference if it isn’t used. Knowledge doesn’t protect data – action does. We need to get more training out there. But once we get it out there we have a bigger problem with people actually taking actions based on that knowledge.

• Only 32 percent report having access to and using cyber training; 55 percent say they have no access.
• Top reason people skip training this year: not enough time (21 percent), followed by doubting training reduces risk (20 percent).
• Preferred formats: video leads (44 percent), then periodic online courses (34 percent), written materials (30 percent).

All that gamification push we had for the last 5 or 6 years isn’t paying off now that people have tried it.

Over confidence or giving up

Nearly half (48%) of participants say they feel highly confident, led by Millennials (60%) and Gen Z (58%), and particularly those in tech-focused sectors. In contrast, confidence is lowest among older generations and those in fields like healthcare and government.

Even though they say they aren’t doing what the training tells them they seem to be overconfident in their ability to manage the risks they learned about. Just look at what they say about using MFA:

Convenience continues to trump security in many cases, particularly when it comes to MFA. A concerning 23% of participants have never even heard of it, and only 41% use it regularly. Somewhat surprisingly, older generations are more diligent: 49% of Baby Boomers use MFA regularly, compared to just 17% of Gen Z, who dismiss it as unnecessary or inconvenient. Only 43% of people use biometrics to log in, with reluctance driven by concerns about companies mishandling biometric data or fears of it being hacked.

The other end of the spectrum is the ones who have just given up trying.

But we still have the disconnect between who’s job it is anyway and my own personal responsibility.

So what did we learn today, kids? AI is scary-smart, people are scary-dumb, and the gap between knowing better and doing better is wide enough to drive a ransomware truck through. Whether you’re a Gen Z sharing sensitive files with sketchy AI tools or a boomer suspicious of your microwave, one thing’s clear: the tech may be shiny, but humans are still the glitch in the matrix. Stay vigilant, stay skeptical, and maybe, just maybe, use a password manager already.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.