According to three major pieces of polling released this year, the human factor is the most urgent priority for businesses to tackle in their cyber-security efforts.

Published in March, Mimecast’s latest The State of Email & Collaboration Security Report stressed that 74% of all cyber breaches are caused by human risks. Those include errors, stolen credentials, misuse of access privileges and social engineering.

In a statement, Mimecast CEO Marc van Zadelhoff warned that emerging tools and technologies such as artificial intelligence (AI) and deepfakes, plus the proliferation of collaborative platforms, are changing how threat actors work. However, he stressed, “people remain the biggest barrier to protecting companies from cyber threats”.

In May, the 2024 Data Breach Investigations Report from telecoms giant Verizon Business drew a similar conclusion. Almost 70% of breaches that the company had examined in the previous 12 months had involved a “non-malicious human element”, such as an employee falling victim to a social engineering attack, or making an error.

Treacherous ground

For Karen Morrall ACA, CEO of West Midlands-based Lockdown Cyber Security, SMEs and accounting practices should never ignore the potential for staff to stumble into the path of cyber threats.

Very recently, part of Network Rail’s wi-fi service, affecting 19 UK railway stations, was compromised by a hack. Thought to have stemmed from bad-faith actions at one of Network Rail’s internet service providers, the act of ‘cyber-vandalism’ installed a pop-up on travellers’ devices that delivered a fake warning of imminent terrorist attacks.

“Think of how many people you see working on their laptops on a packed train, using the wi-fi system,” she says. “Many of them wouldn’t have a defence for an incident like that.”

Worryingly, though, the array of attack types that everyday IT users are having to defend against is only getting slipperier and harder to read. Echoing one of Mimecast’s warnings, Morrall cites a case this year in which an employee in the Hong Kong arm of engineering firm Arup was tricked by an AI-powered, deepfake video call into sending £20m to criminals. In addition, she points out, there has been a rise in the number of ‘zero-day attacks’: incidents caused by strains of malware that no one has seen before.

For all those reasons, she notes, when businesses are looking to address the human factor in their cyber-security measures, prevention is always better than cure.

“It’s an area that has to be approached in the same way as health and safety,” she says. “A holistic approach to cyber risk revolves around people, process, technology and supply chain. They’re all joined up; you can’t look at any of those factors in isolation. Importantly, cyber must also be the board’s responsibility. You can’t just delegate it to a department; the board has to get to grips with it to set the correct tones and behaviours from the top.”

She stresses that if the board isn’t completely involved with or doesn’t understand cyber security, you’re not going to build a security-aware culture within the organisation. Any organisation would be set up to fail, because any action will be little more than a tick-box exercise for compliance purposes, rather than an effort to bake in cyber security by design.

Defending systems

As such, Morrall says, one of the most crucial measures for the board to take is to assess its own cyber-security posture. All board members must take part in specially tailored cyber-security training, run by experts who can help identify and address knowledge and skills gaps.

On a wider level, the board must also have a clear grasp of how much cyber risk its organisation is holding. As a board, do you actively measure cyber risk? Do you understand where weaknesses and vulnerabilities lie? And do you continually monitor your business’s cyber posture to assess its fitness for purpose in the face of emerging threats?

“People are the weakest link in cyber security, so awareness training is key at every level,” Morrall says. “Your programme should fit the requirements of your staff roles, organisation type and business sector.” 

You should also encourage staff to be curious, ask questions and flag potential issues, and to escalate anything they’ve seen that they may be unsure about, she says. Having cyber-security champions – staff who demonstrate particular proficiency and enthusiasm for enhancing your cyber posture – can also be helpful.

For Morrall, annual training is not enough; it must be updated on a rolling basis and aligned with changes in the threat landscape. “An online training provider will typically record who learned what when,” she says. “Most online sessions will ask several questions, either during or after the training. Scores obtained will usually be recorded and can be used to evidence employees’ retention of knowledge. Those scores will help you gauge your internal human cyber-risk factor. But they will provide you with only one marker.”

Staff that don’t score well, Morrall says, should have additional training to reinforce their knowledge, especially around common attack types such as phishing.

To mitigate internal threats, she notes, organisations should consider vetting staff, defending systems with data leakage prevention software, putting in place robust privileged-access management, strong-password and bring-your-own-device policies, restricting systems access where appropriate, disabling removable media and harnessing deep and dark web intelligence resources.

“There’s no silver bullet for cyber security,” Morrall adds. “The risk of cyber incidents is constant and can never be fully eliminated. To build defences across an entire business, cyber-security measures must be carefully layered.”