Human Error: A Tale As Old As Time
Over 90% of cyber incidents originally stem from human error, making it the driving force behind an overwhelming number of attacks. Technology can continue to evolve, but human behaviour remains a fundamental vulnerability with critical impact. After all, humans are bound to make mistakes.
In this blog, we explore the extent of the impact of human error, as well as simple ways to mitigate its ramifications based on the findings of our 2025 report, ‘Cyber Resilience: Futureproofing AI Adoption’.
The Scope of Human Error in Cyber Security
According to our research, 69% of employees have admitted to bypassing cyber security guidance in the last 12 months. This failure to follow policies and procedures creates openings for cyber criminals to access assets stored on company networks.
Examples of everyday instances where employee negligence can manifest into vulnerabilities include:
-
Poor password management
Or, passwords that are not complex enough. Employees may also re-use the same password across systems, increasing risk.
-
Misconfigured systems
Not setting up MFA (Multi-Factor Authentication) results in 1 less layer of security, making it easier for attackers to access accounts.
-
Use of unauthorised software
Cyber Risk Owners within our research cite use of unauthorised software as the number 1 frustration when it comes to lack of employee diligence. 30% stated use of systems outside of policy (such as ChatGPT) as a major issue due to unregulated usage and a lack of control over the applications being installed on devices.
Unauthorised Software Download: Airbus Breach, 2023
In September 2023, a cyber-criminal leaked data on 3,200 Airbus vendor partners after exploiting the credentials of a Turkish airline employee who unknowingly installed malware via unauthorised software. This incident underscores the importance of strict third-party software controls and the risks posed by interconnected industries like aviation.
Why These Learnings Should Prompt Change
Human error is highly likely to persist, particularly with the adoption of AI increasing alongside other complex technologies. Phishing attacks are becoming more sophisticated, using social engineering and legitimate websites to launch cyber-attacks incredibly quickly at scale. With 43% of employees having been victim of a cyber attack at work, and 23% experienced an attack in the past year, there is increasing pressure to avoid the negative effects of a breach.
This business impact can stretch to include:
- Financial losses
- Reputational damage, as in the case of Airbus in 2023
- Regulatory penalties
- Operational impact
Our Advice to Mitigate Risk
As part of our research, we were able to pull key recommendations for Cyber Risk Owners heading into 2025 to prevent the impact of human error.
-
Strengthening Training
By investing time and funding into employee training and awareness programs, employers can reduce the likelihood of policies being breached.
However, there is currently a disconnect between employers and employees regarding engagement in training. While 84% of cyber risk owners believe employees are engaged in cyber security training, 73% of employees describe themselves as only “somewhat engaged” (53%) or even “not engaged” (20%). This data indicates a key issue which should prompt employers to improve training programs.
Complementing this, 76% of employees said that concerns about personal online safety would make them more engaged in training.
-
Communication
When asking resilient organisations what they are investing in during 2025, clearer communication was a top result. Aside from sharing up to date policies, employers can also investigate raising awareness of the associated risks of human error to encourage a cultural shift.
If this cultural change is achieved, employers may also be able to encourage employees to feel comfortable enough to report mistakes and suspected attacks.
Our research found that only 25% of employees say they would report a colleague breaching security practice to IT. Instead, 21% would offer advice directly to the colleague, suggesting employees don’t feel comfortable raising these issues to the wider company.
-
Managed Threat Protection
Our research highlights that there has been a significant rise in the use of Managed Threat Protection services in the last year. 48% of organisations now leveraging these solutions, up from 33% in 2023.
Organisations that consider themselves resilient are more likely to have invested in MTP. For instance, 49% of resilient respondents reported using MTP, compared to only 36% of those who described themselves as not resilient.
MTP is seen as a crucial tool in improving cyber resilience by providing proactive threat detection and immediate containment of malicious activity. It acts as a “safety net” to mitigate the risks associated with human error and insider threats.
These 3 changes will help organisations form a holistic approach to cyber security, mitigating the dual threats of human error and sophisticated cyber attacks.
To Sum it Up
Human error remains a major cyber security risk, but it’s not insurmountable. By prioritising employee training, improving communication, and using tools like Managed Threat Protection, organisations can turn a key vulnerability into an opportunity for growth.
You can read our full report ‘Cyber Resilience in 2025: Futureproofing AI Adoption’ here.
