Attackers aren’t trying to beat your firewall anymore; they’re trying to outsmart your people. Cyber attacks aren’t the highly technical operations you may imagine them to be. Most attacks rarely begin with a dramatic attempt to break through expensive security systems.
They’re much quieter: someone clicks on a link in a convincing email, scans a QR code, shares information too quickly or uses an unapproved AI tool because it makes their day easier. And suddenly, a business that believed it was reasonably secure has a big problem on its hands.
That’s the uncomfortable truth behind the statistic that around 95% of cyber breaches still trace back to human error. The issue isn’t necessarily that your people are careless. It’s that bad actors have become incredibly good at targeting human behaviour. And for many organisations, that human risk exposure remains largely invisible.
When someone falls for a phishing attack (as we’re all prone to do), the instinct is often to think: “How could they be so careless?” But that misses the bigger issue entirely. Having spent more than a decade working across telecoms, managed services and cyber security, I can tell you just how easy it is to get caught out.
These attacks are designed specifically around human psychology. Attackers know people are busy, get distracted and want convenience. And increasingly, they know exactly how to manipulate those behaviours at scale.
In addition to why phishing and social engineering attacks still work so well, this article breaks down why traditional awareness training often fails, and what good human risk management looks like in practice. More importantly, we’ll explore how SMBs can make human risk measurable over time and build a stronger cyber culture (without blame).
Phishing remains the most common form of cyber crime for one simple reason: it works. All attackers need is just one email.
Think about it this way: if a criminal sends out a million phishing emails and only one person clicks, most industries would consider that a terrible success rate. But cyber criminals are playing a completely different game. The amount of information, access and financial value they can generate from one successful attack means the economics still work massively in their favour.
And thanks to automation and artificial intelligence (AI), these attacks are now incredibly easy to scale. Attackers can:
What’s changed over the last few years is that phishing no longer looks glaringly suspicious. The old days of terrible spelling mistakes and obviously fake princes stuck abroad are pretty much gone. Today’s attacks are subtle, professional and very context-aware.
Some of the most effective attacks are what we call “scatter-shot” attacks. Bad actors send huge volumes (literally millions) of messages to massive groups of people, knowing only a tiny percentage need to respond.
This issue is two-fold: because digital-native generations like Millennials and Gen Z are so used to sharing information online, these attacks become even easier. We hand over email addresses for free WiFi, scan QR codes without thinking, and accept app permissions instantly.
That behaviour has become normal, and that’s exactly what cyber criminals are banking on.
Breaking through a modern firewall is difficult. They are constantly updated, monitored, and maintained, often coming with service-level agreements (SLAs) and insurance-backed assurances. So, it goes without saying that most organisations today invest heavily in security controls.
But what’s easier than trying to break the technology? Targeting the people using it, because we’re much easier to predict.
Years ago, a company I worked for ran a simple internal exercise. They scattered USB drives around a secure office car park. The drives contained software that would notify IT if someone plugged one into their work device (so they could identify the “risky users” and give them a light lecture). Sure enough, people picked them up and plugged them in simply because they wanted to know what was on them. Not because they were stupid, just curious.
And that’s the point: attackers don’t need to defeat your entire security estate. They only need one person to make one mistake at the wrong moment.
One of the biggest mistakes SMBs make when trying to minimise human risk is treating cyber awareness like a once-a-year compliance exercise.
I often compare it to a car MOT. A couple of weeks before the test, people panic. They rush around sorting tyres, brakes and wipers. They spend some money and get through the test, which is completely forgotten about until next year.
Many businesses approach cyber security in the same way. They run an annual awareness session. Employees complete a compliance module. A few boxes get ticked, and everyone quickly moves on.
But here’s the problem: cyber threats don’t stand still. Attack techniques evolve constantly, new AI tools emerge, working patterns change, and employees adopt new apps and workflows. But most awareness programmes don’t evolve alongside them.
That creates complacency. Once cyber security becomes something people “have to do once a year”, how much learning do you think sticks? You can overwhelm people with information for a single afternoon, but that doesn’t automatically change behaviour.
Behaviour changes through repetition, consistency, and small reinforcements over time. This is why ongoing awareness is far more effective than annual training sessions alone.
Visibility is a huge challenge in human risk (hence the USB test mentioned earlier). Most businesses think they have a reasonable understanding of how employees use technology. But in most cases, they can only see what’s happening centrally. They know what the IT team is using, what’s officially approved and what the policies say.
What happens in reality is often very different. The most prominent example is how shadow IT has become such a huge issue.
Most (if not all) of us have regularly used at least one of the following:
This isn’t about trying to bypass security; just trying to make your job easier.
I’ll be honest, even I’m guilty of it. Internally, we use CRM systems to manage customer information properly. But when I’m travelling or working quickly, I’ll often jot things down in OneNote first because it’s more convenient.
That may sound harmless. But every workaround introduces potential risk, and the further employees sit from direct IT oversight, the more policies tend to drift. This is especially true in hybrid and remote environments. You might have excellent cyber policies documented internally, but if employees don’t understand them, follow them, or even know they exist, simply having a policy in place changes very little.
This is where I’ve seen many SMBs struggle: they have tools, policies and suppliers. But they don’t have a clear, comprehensive view of where behavioural exposure actually exists.
“We only have 12 employees.” “We’re not a huge enterprise.” “Why would anyone target us?” So many small businesses still believe they’re too small to be targets. Let’s be clear: attackers don’t care about the size of your business. They care about opportunity.
Smaller businesses are often connected to suppliers, customers, financial systems, and larger enterprise supply chains. That means every business can become a stepping stone. When you add how cheap and scalable phishing attacks are, you see just how little attackers lose by trying.
Unfortunately, many organisations only start taking human risk seriously after an incident happens. It’s similar to putting up security cameras after your house has already been broken into. Priorities suddenly change when the damage has been done. But I get it: preventative investment can feel difficult to justify beforehand (especially for SMBs with stretched budgets and resources).
Which brings us back to why visibility matters so much: you can’t know what to prioritise if you can’t clearly see where your biggest risks are.
The good news is that improving human risk posture is not impossible. In fact, it’s more achievable than you may think. It boils down to creating an environment where people are better supported and more aware, confident and likely to pause or validate before acting.
Good human risk management typically includes:
Not once a year. Continuously. Short, regular reinforcement tends to work far better than overwhelming employees with information all at once.
The point of simulations is not to catch people out or embarrass them. It’s to help them recognise patterns safely before a real attack happens.
We recently ran a simulation at our latest Sales Kick-Off meeting, and it was so powerful because it felt real. All of our attendees realised: “I would have done that too.” That is what changes behaviour.
Different teams – finance, HR, remote sales, customer service – carry different types of exposure. Understanding where higher-risk behaviour exists enables you to prioritise support more effectively.
A policy hidden in a 30-page PDF nobody reads changes very little. Policies need to feel realistic, practical and connected to everyday workflows.
This is a big one because silence creates far bigger problems. If you fear punishment every time you report something suspicious, you’ll probably stop reporting things altogether.
Good cyber culture encourages people to ask questions, flag concerns, and admit mistakes early. Remember, the goal isn’t to blame people: it’s to help them make better decisions more consistently.
When it comes to improving human risk, visibility is only half of the equation. You need a way to measure progress properly. I’m not talking about tracking click rates from phishing simulations (these alone rarely tell the full story). What matters more is understanding trends over time.
For example:
Measurement creates visibility, and visibility creates confidence. It helps leadership teams prioritise investment, demonstrate progress, support audits and insurer requirements, and understand where support is still needed.
This is what makes the HIDDEN framework valuable. HIDDEN is not a product stack or a one-off audit. It’s a structured way to understand cyber security across six key areas, including people.
As humans themselves, cyber criminals understand human behaviour extremely well. That’s unlikely to change. But what can change is how your business responds. The organisations making the biggest improvements are not necessarily the ones spending the most money. They’re the ones building visibility, reinforcing awareness consistently, and creating cultures where security becomes part of everyday behaviour rather than an annual compliance event.
Most importantly, the businesses that stay on top of these threats are the ones willing to acknowledge that human risk exists in every organisation, including their own. Even among experienced people and seasoned cyber professionals.
That’s nothing to be embarrassed about. As I often tell customers, these attacks are successful precisely because they know what works and target natural human behaviour. Human risk is not insurmountable when you start with visibility.
If you’re not fully confident that your people would spot a convincing phishing attempt today, the first practical step is gaining visibility into where your exposure sits.
Our Cyber Security Snapshot helps businesses like yours:
Because the biggest cyber risks are often the ones businesses can’t yet see in their people, behaviours and habits.