68% of breaches don't start with a hack. They start with a conversation.

In July 2020, attackers didn't write a single line of exploit code to breach Twitter. They picked up a phone.

A small group of teenagers called Twitter employees, impersonated the company's IT department, and talked their way into internal admin tools. Within 15 minutes, they had access to 130 accounts — including those of Barack Obama, Elon Musk, and Joe Biden — and used them to run a Bitcoin scam that netted over $100,000 before Twitter could shut it down.

No zero-day. No sophisticated malware. Just a convincing story told to someone in the middle of a workday.

What is social engineering, really?

Social engineering is manipulating people through trust and context rather than exploiting code. It's the starting point for the majority of cyber incidents we see today.

68% of breaches involve the human element (Verizon DBIR 2024). Phishing-initiated breaches cost organisations an average of $4.44 million — the highest of any initial attack vector (IBM Cost of a Data Breach Report 2025).

Key insightThe most expensive breaches aren't the most technical ones. They're the ones that started with a conversation.

Why careful, reasonable people still click

Here's the thing about attacks like the Twitter breach: the employees who took those calls weren't making bad decisions. They were making reasonable ones — responding to someone who knew their tools, their team structure, and their processes.

Think about the last time you got an urgent Slack from "IT Support" asking you to re-verify your credentials before a system update. Everything looks right — the sender name, the tone, the urgency. You're three hours into a deep-focus block. You click. That's not a failure of judgement. That's a situation engineered to succeed against a careful, reasonable person.

Key insightWith AI, attackers can profile your org, identify targets, and craft a convincing personalised lure in hours. The person receiving it gets seconds to decide.

The shape of a modern attack

Modern attacks have evolved well beyond generic phishing emails. Today's social engineering is contextualised, personalised, and timed. In one recent case, a finance manager received an invoice approval request from what appeared to be their primary supplier — referencing their actual ERP system, using correct payment terms, arriving on a Friday afternoon. The account details had been quietly swapped. The wire transfer cleared before anyone noticed. The attack was built from information scraped from a LinkedIn job post.

Why your current metrics aren't telling you what you need

Faced with attacks like this, most security teams default to the same playbook: more training modules, more phishing simulations, more compliance checkboxes. The intent is right — get employees better prepared. But the metrics those programmes generate tell us very little about whether anyone is actually safer.

Training completion rates measure attendance, not understanding. Phishing simulation click rates flag who got caught by a single test, on a single day, in a controlled exercise that bears little resemblance to a real attack arriving at 4:47pm on a deadline Friday. Annual compliance checkboxes confirm an obligation has been met — nothing more. None of these numbers tell us how the organisation actually behaves when something genuinely unexpected lands in someone's inbox.

From measuring failures to measuring contributions

So what should we be measuring instead? Four signals that map to what real resilience looks like — each one a parallel quantity, each one trending in a direction you actually want.

What to Measure	Why It Matters
Volume of employee-reported threats	Your early-warning channel is working. People are noticing things and surfacing them — not just deleting and moving on. A rising volume of legitimate reports is the clearest sign that the workforce is engaged in defence, not just exposed to attack.
Time from threat delivery to first employee report	The faster a suspicious message gets flagged, the smaller the blast radius for everyone else. This metric is the single best predictor of containment — and it improves as people get more confident, not just more trained.
Sustained behaviour change over time	Reporting trending up steadily over months and quarters — not a one-week spike after training that fades. Sustained change is what reduces risk; everything else is theatre.
Share of employees who can explain why a request is suspicious	Understanding, not just recognition. A workforce that can explain why something feels off can apply that judgement to attacks no simulation has ever modelled — including the ones that haven't been invented yet.

These measures share something the older ones don't: they reward what people do to make the organisation safer, rather than penalising what they failed to spot under conditions a determined attacker designed to defeat them.

An empowered workforce is your biggest force-multiplier

At Mungo Labs, we're building a different model — one that treats employees as active defenders. People who, given the right context at the right moment, do the right thing. The downstream benefit goes well beyond fewer incidents: when the workforce is genuinely catching things early, IT and SecOps teams stop firefighting volume and start working on the harder, higher-leverage problems they were hired for. The load on the security function drops. The signal-to-noise ratio improves. The whole organisation gets sharper.

Key insightAn empowered workforce isn't just a safer workforce. It's the single biggest force-multiplier a small security team can have.

Where to start

Regardless of what tools your organisation uses, there's one shift worth making now: start measuring what your people contribute to security, not just where they fall short. Track reports. Celebrate near-misses that get raised. Build a culture where it's easier to flag something than to ignore it. That's what resilience actually looks like — and it starts long before any technology decision.

← Back to all posts