The fundamental security flaw with all computer systems is people. That’s the weak link, according to Jenny Radcliff, UK-based social engineering consultant. She refers to the security threats that people pose as the three Ms: mistakes, mischief and malice. You’d be hard pressed to find a recent attack that didn’t have at its core one of the three Ms.

What we know from research is that 91% of cyberattacks start with a phishing email, which means 91% of cyberattacks start with someone mistakenly clicking on a malicious email link. I don’t think many people intentionally click on a phishing link, although if they did, it would still be one of the three Ms: either mischief or malice.

Since we know the fundamental flaw behind computer security is people, perhaps the more important question is, what can we do about it? First, you have to give up the idea that any computer system can ever be 100% safe. A determined insider with the right access, who’s intent on malice, is extremely difficult to stop.

What can be done to minimize the chance of a hack is something called defense in depth. The idea behind the defense in depth is very simple. Put up a bunch of different types of barriers instead of just relying on one. This way, no matter what attack vector the enemy chooses, you’re covered.

So, for instance, should you conduct employee security awareness training? Yes. Should you enforce policies like least privilege? Yes. Should you deploy phishing prevention technology? Yes. By themselves, they’re good. Together they’re better, but not perfect.

The fundamental flaw behind computer security is people. And unfortunately, that’s the most challenging threat vector there is.