The Biggest Blind Spots in Today’s Cybersecurity Workforce, and Why Attackers Are Exploiting Them

Serge-Olivier Paquette, the Chief Product Officer at Flare, identifies some of the most significant blind spots in today’s cybersecurity workforce and explains how attackers are exploiting them. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

Downloading Roblox on a work laptop might seem innocent—until it isn’t. A single infostealer infection from a browser extension or a malware-laced game downloaded by an employee’s child can provide the same level of access as a sophisticated supply chain attack.

Security teams must rethink what “threat” means and stop underestimating the soft spots. Personal device usage, remote and hybrid work, and shadow IT create unexpected weak links in security posture. These blind spots aren’t just minor oversights; they are the preferred entry points for adversaries deploying the latest TTPs. Non-technical departments need to be as clued in as the rest of IT, but there is still a prevalent issue of data silos. If the SOC team detects an AI-crafted phishing attempt but doesn’t immediately share it with HR or finance, attackers have a window to target executives with payroll fraud emails.

The attack surface continues to grow with businesses using multi-cloud and hybrid work environments. Even with adaptive security systems, organizations struggle with issues like identity sprawl, poor segmentation of personal and corporate resources, and slow response to AI-powered attacks. Moreover, AI-driven breaches are surging, with 87 percent of organizations impacted in the past year.

The most overlooked security workforce deficiencies are threat actors’ biggest targets to actively exploit. Understanding how attackers manipulate them is the first step to reliable defense.

Compliance Frameworks Were Built for a Simpler Security Model

If we consider typical cybersecurity teams that assume clear demarcation lines between IT, OT, and cloud environments, we identify part of the problem. Data processing and business applications might sit with IT, while the systems that automate industrial processes concern OT; they are increasingly interconnected, and adversaries understand that.

The blurred perimeter of modern enterprise networks—where endpoints, cloud workloads, and remote access merge—has led to a rise in identity-centric attacks, supply chain compromises, and cloud service abuse. A cloud misconfiguration in an exposed API could allow attackers to move laterally into OT networks, where compliance never accounted for cloud-originated attacks.

The shift to hybrid and multi-cloud infrastructures requires security teams to adopt a unified threat-centric approach. They must implement active detection and response to catch these cross-domain threats, indicating that compliance frameworks also need updating.

Most frameworks (ISO 27001, NIST 800-53, SOC 2) require organizations to document incident response processes, but don’t enforce real-time automated responses to ongoing attacks. A company might log cloud identity and access management (IAM) changes (as part of general compliance requirements) but fail to detect an attacker escalating privileges until after a breach. Security teams must go beyond the standards and implement continuous threat hunting or adversary simulation to ensure threats are being detected.

More to the point, attackers don’t care about policy documents; they care about misconfigurations, excessive IAM permissions, and unsecured API endpoints that allow lateral movement across hybrid environments. Rather than relying on compliance checkboxes and isolating responsibilities between departments, cybersecurity teams must regularly test whether attackers can pivot between environments and implement strict just-in-time access and least privilege principles.

Poor Isolation Between Corporate and Personal Resources

As IT, OT, and cloud environments are no longer isolated, similar issues are happening at the user level. The same corporate-issued devices used to handle sensitive data are frequently logged in for personal activities, such as checking Facebook or employees’ kids downloading games. This lack of clear segmentation creates prime opportunities for threat actors to leverage infostealers and clone sessions.

A child might think they’re downloading Roblox from an official source, but it’s actually a malicious installer loaded with spyware or a stealer. These trojans can silently scan browser storage or install keyloggers, capturing login credentials as users type or copy them.

Malicious actors can extract saved credentials and exfiltrate sensitive data from the compromised device to bypass MFA and gain persistent access to privileged enterprise applications. Without active session monitoring, these attacks can go undetected long after the breach. This was the case with Marriott Hotels, whose database was breached in July 2014 and went undetected until September 2018.

The industry’s continued reliance on weak or outdated device posture management, bring-your-own-device (BYOD) policies, and user education on session persistence creates an ideal attack surface for hackers.

Organizations today, especially those with highly sensitive data, must segment networks into isolated zones and restrict communication between different parts of the network. For instance, financial or legal services often use remote browser isolation (RBI) to prevent malicious code from reaching devices. However, it can slow processes down due to cloud-based rendering. It is more expensive than identity-based controls (IAAC), which might suffice for the general workforce since it grants access based on who you are, where you are, and what device you’re using. If an employee logs into personal Gmail in the same browser as their corporate Single Sign-On (SSO), IAAC forces reauthentication or denies access to corporate apps.

Security Teams Are Losing the Race Against Automated and AI-Driven Attacks

While enterprises deploy traditional SOC workflows and SIEM rules, adversaries leverage automation, AI-driven reconnaissance, and LLM-powered phishing. According to the US Cybersecurity and Infrastructure Security Agency, over 90 percent of successful cyber-attacks begin with phishing emails.

Security teams often struggle with tool fatigue, drowning in alerts without context. Say a phishing attack steals a user’s credentials; SIEM alerts on “multiple logins.” But analysts don’t know if it’s just the user logging in on different devices or an actual takeover. Since modern security tools—SIEMs, EDRs, and cloud security platforms—generate thousands of detections daily, it can be tricky to keep clear prioritization or identify a correlation to real threats.

Returning to our earlier point, a more holistic threat-detection approach is needed. Security teams must look for ways to automate tools that link identity, network, and endpoint signals to detect real compromises. They should also pay closer attention to unusual session persistence, token reuse, and privilege escalation instead of basic login anomalies.

With the advancement of malicious AI and the sophistication of today’s phishing attempts, which scan victims’ social platforms and generate realistic scams at scale, it’s safe to assume some phishing attacks will bypass detection. Actively hunting for anomalous lateral movement or session takeovers is no longer a precautionary measure but a requirement.

The shift toward AI-generated phishing and hyper-personalized attacks is drastically reducing the effectiveness of legacy detection mechanisms. Organizations must transition from a reactive approach to a unified adversary-centric model, where threat intelligence isn’t just collected—it’s operationalized into detection engineering, continuous red teaming, and active threat-hunting efforts.