With beloved UK retailer M&S experiencing a crippling ransomware attack last month, the reputational and financial repercussions of cyberattacks – and the impact of prolonged downtime – have once again been thrown into the spotlight, with an estimated £700 million wiped off its valuation in one week.
As a complex organisation with a significant physical and online presence, M&S’s IT systems undoubtedly have a large attack surface with thousands of potential entry points for bad actors to exploit – and thousands of employees whose human errors could have unintentionally left the organisation vulnerable.
This human risk element is too often left out of the conversation around cybersecurity. Last year, human risk surpassed technology gaps as the most significant cybersecurity challenge. Organisations can spend millions fortifying their tech stacks, but breaches will continue unabated without the same focus on human behaviour. A staggering 95% of all data breaches are caused by human error – poor password hygiene, credential misuse, and user-driven errors. Attackers are increasingly targeting this human layer with precision, leveraging convincing AI phishing software and new attack vectors such as malicious QR codes.
To tackle this threat, business leaders must refocus their cybersecurity strategies around their people. By implementing human-centric approaches and leveraging human risk management platforms, organisations can reduce human-related risks, empower employees with the necessary skills to identify and counteract attacks, and develop a more robust cybersecurity framework.
The Realities of Human Risk
The realities of human risk are laid bare in the latest report from Mimecast, ‘State of Human Risk 2025’, which found that while 87% of surveyed organisations train employees quarterly to identify and report threats, 33% still cite employee error as their top concern, and 27% worry about lapses in vigilance caused by fatigue.
Moreover, 94% of surveyed organisations face obstacles in ensuring employees adhere to compliance standards and consistently follow security protocols. 57% state that an additional budget is required for cybersecurity staffing and third-party services.
This data reveals a fundamental challenge: despite substantial investments in cybersecurity training, employees are failing to meet the rigorous standards required to protect their organisations.
One reason for this is the rapidly changing technological landscape. The emergence of sophisticated threats, such as AI-generated phishing emails, deepfakes, malicious QR codes, and collaboration tools, has significantly expanded the range of potential attack vectors. Collaboration tools, for example, have emerged in recent years as a deep concern for companies. OneDrive, Slack, and Teams may now be critical for modern workflows, but they also dramatically increase vulnerability. According to Mimecast’s State of Human Risk report, 44% of respondents reported a rise in threats associated with collaboration tools over the past 12 months, an increase from 37% in 2024. This underscores the expanding scope of cyber threats in an increasingly interconnected working environment and the need to rapidly adapt employee training strategies to protect against emerging threats.
Faced with this dynamic threat landscape, continuous training and education are essential. However, information overload can easily cause fatigue in employees. Generic awareness programs and repetitive training courses can often be counterproductive and, on their own, insufficient. For example, a study by Gartner revealed that over 90% of employees admitted to engaging in actions at work that they knew were insecure and could increase organisational risk, yet proceeded regardless.
Humans are unpredictable, prone to taking shortcuts and acting illogically. They also tend to underestimate the prevalence of threats surrounding them. This behaviour leads them to ignore training and engage in risky actions that they know could jeopardise organisational security.
So, how can we mitigate this risky behaviour?
Changing entrenched human behaviour can be challenging. To maximise their chances of success, business and security leaders must place employees at the heart of their cyber strategies, blending awareness and practical training with best-in-class technology solutions to drive real change.
Leveraging a tailored and targeted approach can yield significant benefits. Mimecast research found that while 95% of breaches are caused by human error, on average just 8% of employees are responsible for 80% of security breaches.
This indicates that tackling the human risk challenge can be expedited by identifying, assessing, and mitigating the risk specific to each user. This targeted method enables organisations to allocate resources efficiently, focusing on those individuals whose risky behaviours could have serious implications for the company’s data security.
Regular training and educational programs remain crucial, yet adopting a more integrated strategy that aligns with the complexities and frequency of modern threats is essential. Human Risk Management (HRM) platforms emerge as a pivotal solution, offering precise interventions that balance innovation and productivity while shifting the focus from post-incident responses to proactive prevention.
HRM platforms are particularly effective in managing employee engagement fatigue by providing a comprehensive analysis of individual risk profiles. These platforms offer insights into behaviour patterns, attack vectors, and risk scoring, enabling personalised strategies for those who need the most attention. Unlike siloed security solutions, HRM platforms provide end-to-end visibility into external and internal risks. By monitoring collaboration tools and identifying vulnerable employees, these platforms can pre-emptively prevent unauthorised data sharing and other security breaches. For instance, an HRM platform can utilise Slack’s API to meticulously monitor all communications, including deleted and edited messages, enhancing collaboration tool security and ensuring robust data loss prevention.
Building Resilience in 2025
Choosing the right technology stack is crucial to any cybersecurity strategy, but the effectiveness of these technologies ultimately hinges on human behaviour. As AI phishing attacks grow increasingly realistic and more collaboration tools are integrated into workflows, ensuring that human behaviour aligns with technological advancements becomes vital. By deploying a human-centric strategy, business leaders mitigate human risk, safeguard their organisations, and build resilience into every business function.
About the Author
Carl Wearn is Head of Threat Intelligence Analysis and Future Ops at Mimecast. Mimecast is transforming the way businesses manage and secure human risk. Its AI-powered, API-enabled connected human risk platform is purpose-built to protect organizations from the spectrum of cyber threats. Integrating cutting-edge technology with human-centric pathways, our platform enhances visibility and provides strategic insight. Our technology safeguards critical data and actively engages employees in reducing risk and enhancing productivity. More than 42,000 businesses worldwide trust Mimecast to help them keep ahead of the ever-evolving threat landscape. From insider risk to external threats, customers get more with Mimecast. More visibility. More agility. More control. More security.
