"That's far more devastating to an organisation than the most advanced hacker in the world sitting inside that network who has absolutely no business experience, doesn't know anything about the corporation.
"The hacker could get access to all the corporate documentation, all of the board members, meeting minutes, all kinds of internal IP and emails. But the hacker doesn't know how the business works so he/she doesn't know what is valuable and what isn't."
Daniel Cabezas, IT security testing services leader at Macquarie Group, says that when he does test email campaigns, he still finds many users clicking on links, downloading files or installing untrusted applications.
"We are doing security awareness courses, but whenever we do testing by sending ourselves email campaigns, there's still more percentage of our user base who click on things," he says.
One issue that security teams have to deal with is that hackers are also not necessarily looking to directly break into a company's systems. Cabezas says they may have more success in hacking a personal computer of an employee to find business information or a work password or account.
"If the malware is trying to target the users at their homes, the reality is that I don't have that many security controls in my laptop at home. So [criminals] are most successful attacking the home laptop of the users to try and get information about the company they work for. They go to LinkedIn and look for potential employees from the company to attack their personal laptops."
The rise of bring-your-own device (BYOD) schemes — under which employees can use their own smartphones, tablets and notebooks for work — and an emphasis on flexible working only further complicate the situation.
Cabezas says that there's usually a struggle to balance user demand for new technology with security.
"We have to determine what the risk of [introducing] the new technology is, but our users are already asking us to implement it," he says.
"You might have a very functional, well-defined application, and you might think 'it works the way we expect it to'. But what happens when somebody finds something unexpected?
"Criminals don't work for X hours a day and then go home. They keep working during the night, during the weekend and they just have to find one hole. So you have to think the way they do. You might say 'this vulnerability is really difficult to exploit', but they will take the time and whatever the means to exploit it."
Sign up for Computerworld eNewsletters.