Cybersecurity headlines continue to be punctuated by high-profile, highly disruptive breaches. In fact, 2025 has already seen some of the most damaging incidents on record, with organizations such as M&S and Co-Op suffering severe and costly disruption.
If the estimated £100 million-plus cost to M&S wasn’t bad enough, it was eclipsed by the incident at JLR. widely reported as the most expensive cyber incident in UK history, its overall economic estimated at £1.9 billion.
CISO at Node4.
These and other incidents expose cybersecurity’s most enduring paradoxes, humans are both the strongest and weakest links in the chain. M&S has publicly stated that its breach was a result of “human error”. While the jury is still out at JLR, speculation points towards a credentials compromise, a classic social engineering tactic.
At the same time, employees are also the bedrock of effective cyber resilience, with an engaged, well-informed workforce ideally placed to recognize and stop suspicious activity long before it develops into a full-scale incident.
A bad problem is becoming worse
The problem for security leaders is that social engineering is still the most effective way to bypass otherwise robust technical controls. The problem is becoming more acute as threat actors increasingly use AI to deliver compelling, personalized, and scalable phishing attacks.
While many such incidents never reach public attention, an attempt last year to defraud WPP used AI-generated video and voice cloning to impersonate senior executives in a highly convincing deepfake meeting.
Unfortunately, the risks don’t end there. Even with strong technical controls and a workforce alert to social engineering tactics, risk also comes from employees who introduce tools, devices or processes that fall outside formal IT governance.
Widely known as ‘Shadow IT’, this behavior often stems from good intentions, with people trying to work faster or collaborate more effectively when the official tools don’t meet their needs as well as alternatives they have discovered. The result is security blind spots and data governance risks that continue to cause serious difficulties.
The list of challenges goes on, with everyday habits such as credential reuse, storing files in unapproved locations, sharing data via consumer apps or using unsecured public Wi-Fi all having the potential to undermine organizational security.
The need for a cultural shift
So, where does that leave us? Reducing human risk is not just about eliminating mistakes, it’s about creating an environment where secure behavior becomes the default. It’s clear, for instance, that tick box training where people passively click through generic modules just isn’t fit for purpose.
What’s needed instead is a shift in both mindset and culture, where employees understand not just what not to do, but why their day-to-day decisions, which tools they trust, how they handle unexpected requests, and when they choose to slow down and double check something rather than act on instinct genuinely matter.
From a leadership perspective, it’s much better to foster a culture which people feel comfortable reporting suspicious activity without fear of blame, rather than an environment where taking the risk feels like the easier option.
Driven by the frustration that awareness training just doesn’t cut it, many organizations have implemented layers of security tooling to close human centric security gaps. While no one would dispute that tools are essential, they can only go so far, and without a strong culture, their impact is limited.
Strong culture
But what does this ‘strong culture’ look like? Consider this scenario: An employee receives an unexpected email request that looks routine but feels slightly “off”. Perhaps, its a supplier asking for account details, or a colleague requesting access to documents they don’t usually need.
Instead of acting quickly to avoid delaying work, the employee pauses because the culture has normalized slowing down when something seems unusual.
They also know exactly how to report or verify because the processes are familiar and straightforward, with no confusion about who to contact or whether they’ll be blamed for raising a false alarm.
A quick check with the security team confirms the request isn’t legitimate. The team treats the report as valuable intelligence rather than an inconvenience.
Leadership acknowledges the employee’s actions, reinforcing that thoughtful decisions and early reporting are recognized and valued. The incident becomes a learning example for the wider organization, shared as best practice to help others recognize similar patterns in future.
The underlying point is that this needs to happen much more often. Get the approach right, and organizations of every size stand a far better chance of staying on course when faced with cyberattacks with the potential to escalate into existential threats.
We've featured the best business VPN.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.