Written by Rob Junker: Mimecast Chief Product Officer
Despite investing heavily in training programs, many organisations struggle to cultivate the day-to-day behaviours and vigilance needed to stay secure.
When ransomware brought UK retail giant M&S to its knees recently - slashing an estimated £700 million from its valuation in just one week. It wasn’t just a wake-up call about technological vulnerabilities; it was a stark reminder of the cost of human error in today’s cybersecurity landscape.
Despite their robust systems and advanced technologies, M&S, like many large organisations, found itself exposed. It wasn’t just about outdated software or a missed firewall update. The real weak spot may have been something far more ordinary: human error.
Modern enterprises like M&S operate across sprawling digital and physical networks, with thousands of employees, partners, and systems. This scale offers productivity and convenience - but it also opens the door to cyber-criminals. While attackers are constantly evolving their tools, they’re still relying on the same proven strategy of targeting people.
Whether it’s a phishing email that looks eerily convincing, a malicious QR code scanned in haste, or a simple password reused across accounts, human mistakes are behind 95 percent of all cybersecurity breaches. Yet, human risk remains an overlooked aspect of cybersecurity. Organisations may invest millions in advanced tech, but without addressing human behaviour, breaches will persist.
To stay ahead, business leaders must reframe their cybersecurity strategies around people. By adopting human-centric security approaches and leveraging human risk management platforms, businesses can minimise human error, equip employees to recognise threats, and build a stronger, more resilient defence.
The Human Factor: Unmasking the True Cybersecurity Challenge
Mimecast’s latest State of Human Risk 2025 report paints a sobering picture of cybersecurity at the human level. While an impressive 87 percent of organisations say they provide quarterly training to help employees identify and report threats, human error still reigns as the top concern for 33 percent of respondents. Fatigue-driven lapses in attention follow closely behind, troubling 27 percent of security leaders.
The gap between intention and reality grows wider when it comes to compliance: 94 percent of organisations report difficulties ensuring employees consistently follow security protocols. More than half (57 percent) cite a need for increased budget to bolster cybersecurity teams and secure third-party support; underscoring how stretched current resources are in managing human risk.
These figures reveal a critical disconnect. Despite investing heavily in training programs, many organisations struggle to cultivate the day-to-day behaviours and vigilance needed to stay secure.
Why? The threat landscape is evolving faster than employees can keep up. Advanced tactics like AI-generated phishing attacks, deepfakes, malicious QR codes, and threats embedded in everyday collaboration platforms are redefining the rules of engagement. Tools like OneDrive, Slack, and Microsoft Teams are indispensable for productivity, yet they’ve become a growing security liability. Our research found that 44 percent of organisations reported a spike in threats originating from collaboration tools - up from 37 percent the previous year -highlighting the urgent need to adapt training approaches to modern workflows.
The truth is, human behaviour is unpredictable. People are prone to shortcuts, blind spots, and poor judgment. Many underestimate the threats around them, leading them to dismiss training or make risky decisions they know could endanger the organisation. If businesses are to reduce human risk meaningfully, they must rethink their approach, shifting from check-the-box training to dynamic, personalised education that truly engages employees and evolves alongside the threat landscape.
Humans are, by nature, unpredictable. We cut corners, underestimate risks, and sometimes ignore even the best training. This behaviour can undermine even the most robust security systems. So, how can organisations turn the tide?
Shifting to a Human Risk Management Approach
Changing deeply ingrained human habits is never easy, especially when it comes to cybersecurity. For business and security leaders aiming for real impact, success starts with putting people at the centre of their cyber strategies. But what does this look like in practice? Here are five key points that leaders should keep at the front of their minds when moving to a human risk management strategy.
1 - Combine engaging awareness programs and hands-on training with cutting-edge technology to foster lasting behavioural change.
2 - A one-size-fits-all approach simply doesn’t cut it. Instead, a personalised and targeted strategy can deliver remarkable results.
3 - Mimecast’s research reveals a striking fact: while human error accounts for 95 percent of breaches, eight percent of employees are responsible for 80 percent of these incidents. This highlights a powerful opportunity-by pinpointing, assessing, and addressing risk at the individual level, organisations can focus their efforts where they matter most.
4 - Targeted interventions allow resources to be channelled towards those whose actions could have the greatest impact on data security.
5 - While regular training and education remain essential, today’s threat landscape demands a more integrated approach. Enter Human Risk Management (HRM) platforms: these innovative solutions move beyond reactive measures, offering proactive, data-driven interventions that balance security with productivity.
HRM platforms excel at combating employee engagement fatigue by delivering deep insights into individual risk profiles. By analysing behaviour patterns, attack vectors, and risk scores, these platforms enable tailored strategies for high-risk users.
Unlike isolated security tools, HRM platforms offer end-to-end visibility into both internal and external threats. They monitor collaboration tools, flag vulnerable employees, and can even prevent unauthorised data sharing before it happens. For example, an HRM platform can leverage Slack’s API to monitor all message activity-including edits and deletions-strengthening collaboration tool security and safeguarding sensitive data.
Building Cyber Resilience for 2025 and Beyond
Selecting the right technology is a cornerstone of any cybersecurity programme, but its true effectiveness critically depends on the people who use it. As AI-driven phishing attacks become more sophisticated and collaboration tools proliferate, aligning human behaviour with technological defences is more imperative than ever.
By embracing a human-centric approach, business leaders can dramatically reduce risk, protect their organisations, and embed resilience into every aspect of their operations. The future of cybersecurity isn’t just about smarter tools-it’s about smarter, more empowered people.
Are you investing in training for your people or hoping machines alone will keep you safe from bad actors?
