Why human layer security is or should be front of mind for businesses
Blog|by Leanne Bevan|17 February 2026
In an era of multi-million-pound AI-driven cyber defences, a startling truth remains: the most sophisticated “hack” doesn’t target a server – it targets a person. As we move through the mid-2020s, the human layer has become the primary battleground for global cyber security. And for businesses that want to stay resilient, strengthening it is no longer optional. It’s urgent.
The staggering reality of human risk
While companies spend billions on technical controls, the “Human Element” remains still plays a role in most successful breaches. The data paints a stark picture:
- 68% of all data breaches in 2025 involved a human element, including phishing, stolen credentials, and simple user errors [Verizon].
- 95% of all data breaches are ultimately traceable back to human error, such as misaddressed emails or failure to follow protocols [Mimecast].
- 53% of breaches now involve the use of stolen credentials, which take an average of 292 days to detect – the longest of any attack vector [IBM].
Even the best tools can’t protect a business from a momentary lapse in judgement. There’s more than likely going to be mistakes made – we’re all human, busy and perhaps tired. And that’s what cyber criminals thrive on. Which is why it’s important to put the right tools and training in place to ensure you reduce the risk of this happening as much as possible.
Why traditional security is falling behind
Traditional security focused on building “hard shells” (firewalls and antivirus). However, modern attackers have pivoted to Social Engineering, exploiting psychological triggers like urgency, fear, and curiosity.
- AI-powered phishing: Generative AI has streamlined the creation of believable phishing messages. What once took hours now takes roughly 5 minutes. AI-enhanced phishing emails have seen click rates jump to 54%, compared to just 12% for traditional “spray and pray” attacks [DeepStrike].
- The rise of Deepfakes: Cybercriminals are increasingly using AI-generated audio and video for “vishing” (voice phishing). Trading of deepfake tools on the dark web surged 223% recently, with high-quality deepfake videos costing attackers up to $20,000 per minute to produce for high-stakes fraud [DeepStrike].
- Shadow AI and data leaks: Employees are inadvertently creating new vulnerabilities. In 2025, roughly 20% of breaches involved “Shadow AI” -unsanctioned use of public AI tools by employees – which adds an average of $670,000 to the cost of a breach [IBM].
It’s now important to use a combination of machine and human security – starting with human risk management, all the way through to managed detection and response (MDR) for 24/7 security coverage.
The true cost of a human slip-up
A single click can be catastrophic. And the financial and operational fallout for even the smallest mistake is reaching all-time highs:
- Global average breach cost: Reached $4.88 million in 2024, with U.S. organisations, for example, facing a staggering $10.22 million per incident in 2025 [IBM].
- Business email compromise (BEC): This human-targeted fraud caused over $6.3 billion in losses in 2024 alone [FBI Internet Crime Center].
- The small business threat: The stakes are even higher for smaller firms – 60% of small businesses shut down within six months of a major data breach [National Cyber Security Alliance].
Not only are the financial implications, but a breach also heavily disrupts other areas too. For instance, it affects the workload and focus of many of your teams, you can also lose your client trust and halt the momentum of other big projects that need time and money. This is why making sure your staff are clued up on spotting suspicious behaviour and emails is integral.
Building a “human layer” strategy
Strengthening the human layer requires moving beyond once-a-year compliance videos. Effective Human Risk Management (HRM) includes:
- Real-time intervention: Using AI-driven tools that “nudge” users when they are about to make a mistake, such as sending an email to the wrong recipient or uploading sensitive data to an unsecure cloud.
- Advanced phishing simulations: Moving from basic tests to sophisticated, role-specific simulations. Advanced training can reduce phishing click rates from 20% to just 3.2% [Verizon].
- A “no-blame” culture: Lapses in vigilance are often due to cyber fatigue, which now affects 46% of organisations. Encouraging employees to report mistakes immediately – rather than hiding them – is critical for rapid containment [Mimecast].
- Regular training and updates: Keep your team skilled on the new threats and technologies, test their knowledge of what to look out for, and make sure they’re aware of their responsibilities for regulatory compliance.
Improve your human layer security
Technology evolves, and so do cyber threats. But one constant remains – your people. When empowered, informed and supported, they become your strongest defence. They’re the “new perimeter.” By investing in human layer security, you transform your greatest vulnerability into your strongest line of defence. And of course, helps you still compliant with data regulations like GDPR, HIPAA, and ISO 27001 too.
Need help bolstering your human layer? We can help.
- Read our human layer security blog with recommended solutions including cyber security awareness training, phishing simulations, MDR and more.
Contact Grey Matter
If you have any questions or want some extra information, complete the form below and one of the team will be in touch ASAP. If you have a specific use case, please let us know and we'll help you find the right solution faster.
By submitting this form you are agreeing to our Privacy Policy and Website Terms of Use.
Related News
Azure cloud adoption principles: Your blueprint for success
Practical strategies to accelerate your journey to the cloud In this episode, Azure Solutions Specialist Sam Barnes shares expert insights on the key cloud adoption principles for success. The discussion covers how businesses can turn cloud adoption frameworks into practical,...
Why EV adoption in logistics fails without EV route planning
EV adoption in commercial logistics is accelerating, and it’s no longer limited to small‑scale pilots. According to ABI Research, the commercial electric vehicle market is forecast to grow by 19.4% year on year through 2032, with light and medium...
Bing Maps migration planning: why the next 18 months matter
With Bing Maps approaching sunset, the next 18 months are critical. Here’s how to plan a smooth, low‑risk migration to Azure Maps.
How Azure Maps helps growing SDCs scale faster
Growing SDCs need to move quickly without sacrificing quality. Here’s how to scale with Azure Maps by improving accuracy, performance, and compliance while keeping development lean.