Cyber: Assessing Human Cyber Risk in Your Organisation

Human error is the leading cause of cyber breaches, yet many businesses overlook it in their security strategies. While technology plays a crucial role in defending systems, people remain the weakest link in cyber security. It’s time businesses take a closer look at managing the human factor to protect themselves from potential breaches.

Surveys published this year emphasise the importance of this issue. In The State of Email & Collaboration Security Report by Mimecast1, 74% of cyber breaches were attributed to human risks – errors, stolen credentials, misuse of access, and social engineering. A similar conclusion was drawn by Verizon’s 2024 Data Breach Investigations Report2, which found that nearly 70% of breaches involved a non-malicious human element.

With threats growing more sophisticated, businesses must take action to mitigate risks created by their employees. So, how do you assess and address human cyber risk in your organisation?

Why the Human Factor Matters

As cyber threats evolve, people continue to be the primary vulnerability. Whether it’s falling victim to phishing scams, weak passwords, or social engineering tactics, human error is at the heart of many cyber incidents. Gareth Dalton, Managing Director of Techn22 and a Beavis Morgan group company, says: “Technology can only do so much to protect businesses. It’s the people who interact with systems that are often the weak link, whether it’s through simple mistakes or more complex social engineering attacks.”

Businesses must recognise that training, awareness, and ongoing engagement with staff are essential to reducing these risks.

Steps to Assess and Manage Human Cyber Risk

  1.  Evaluate the Current Cyber Security Posture Start by assessing your business’s cyber-security posture. This should involve all senior leadership, not just IT. A clear understanding of existing vulnerabilities and potential gaps in knowledge will help shape a comprehensive training and risk mitigation strategy. Every board member should undergo tailored cyber security training to identify knowledge gaps and ensure they understand the extent of the risks their organisation faces. “Cyber security isn’t just an IT issue,” says Gareth. “The board must set the tone from the top, driving a culture of security awareness.”
  2. Tailored Staff Training One-size-fits-all training is ineffective. Instead, tailor your training programme to fit specific staff roles and the nature of your business. Regular, role-specific training helps employees understand the threats most relevant to them, while engaging them on a personal level. It’s crucial that training isn’t a one-off event. Instead, businesses should offer ongoing education that evolves with emerging threats. Cyber-security threats change constantly, and your training should too. “Annual training is not enough,” explains Gareth. “Continuous learning, updated with the latest threats, is key to staying secure.”
  3. Encourage Awareness and Vigilance Creating a culture where employees feel empowered to ask questions and report suspicious activity is essential. Businesses should encourage staff to flag potential security issues without fear of reprimand. Consider appointing cyber-security champions – staff members with a particular aptitude for cyber security – to lead by example and foster a culture of awareness across the business.
  4. Regular Assessments and Testing Training is only part of the solution. Regular assessments, including phishing simulations and knowledge tests, can help gauge your employees’ understanding and awareness. Those who don’t perform well in these assessments should receive additional training. The data from these tests will also help you measure the human cyber risk in your business. However, as Gareth notes: “These assessments are just one marker. They help identify weaknesses, but you need a broader strategy to fully address the human element of cyber risk.”
  5. Strengthen Policies and Controls Implement robust policies to defend against human-caused incidents. This includes:
    • Data leakage prevention tools
    • Strict password and privileged-access management
    • Bring-your-own-device (BYOD) policies
    • Regular updates and restrictions on system access
    • Disabling removable media
    • Monitoring for insider threats and rogue employees

These measures, combined with training, create multiple layers of defence that reduce the risk of a breach caused by human error.

The Bottom Line

No business is immune to cyber threats, but managing the human factor is crucial in building a strong defence. Gareth Dalton adds: “There’s no single solution that will eliminate all risks, but a layered approach involving training, awareness, and robust controls can go a long way. Cyber security should be seen as a continuous process – never a tick-box exercise.”

Cyber security isn’t just about the latest software; it’s about people. Invest in training, assess risk regularly, and create a culture of vigilance to protect your business from the growing threat of human error.

Contact your usual Beavis Morgan partner in the first instance or email Gareth Dalton at Gareth.Dalton@techn22.co.uk to discuss how Techn22 can help safeguard your organisation.

Sources:

1 https://www.mimecast.com/the-state-of-email-and-collaboration-security-2024/

2 https://www.verizon.com/business/resources/reports/dbir/