Why human layer security is or should be front of mind for businesses 

In an era of multi-million-pound AI-driven cyber defences, a startling truth remains: the most sophisticated “hack” doesn’t target a server – it targets a person. As we move through the mid-2020s, the human layer has become the primary battleground for global cyber security. And for businesses that want to stay resilient, strengthening it is no longer optional. It’s urgent. 

The staggering reality of human risk

While companies spend billions on technical controls, the “Human Element” remains still plays a role in most successful breaches. The data paints a stark picture: 

• 68% of all data breaches in 2025 involved a human element, including phishing, stolen credentials, and simple user errors [Verizon]. 

• 95% of all data breaches are ultimately traceable back to human error, such as misaddressed emails or failure to follow protocols [Mimecast]. 

• 53% of breaches now involve the use of stolen credentials, which take an average of 292 days to detect – the longest of any attack vector [IBM]. 

Even the best tools can’t protect a business from a momentary lapse in judgement. There’s more than likely going to be mistakes made – we’re all human, busy and perhaps tired. And that’s what cyber criminals thrive on. Which is why it’s important to put the right tools and training in place to ensure you reduce the risk of this happening as much as possible. 

Why traditional security is falling behind

Traditional security focused on building “hard shells” (firewalls and antivirus). However, modern attackers have pivoted to Social Engineering, exploiting psychological triggers like urgency, fear, and curiosity. 

• AI-powered phishing: Generative AI has streamlined the creation of believable phishing messages. What once took hours now takes roughly 5 minutes. AI-enhanced phishing emails have seen click rates jump to 54%, compared to just 12% for traditional “spray and pray” attacks [DeepStrike]. 
• The rise of Deepfakes: Cybercriminals are increasingly using AI-generated audio and video for “vishing” (voice phishing). Trading of deepfake tools on the dark web surged 223% recently, with high-quality deepfake videos costing attackers up to $20,000 per minute to produce for high-stakes fraud [DeepStrike]. 
• Shadow AI and data leaks: Employees are inadvertently creating new vulnerabilities. In 2025, roughly 20% of breaches involved “Shadow AI” -unsanctioned use of public AI tools by employees – which adds an average of $670,000 to the cost of a breach [IBM]. 

It’s now important to use a combination of machine and human security – starting with human risk management, all the way through to managed detection and response (MDR) for 24/7 security coverage. 

The true cost of a human slip-up

A single click can be catastrophic. And the financial and operational fallout for even the smallest mistake is reaching all-time highs: 

• Global average breach cost: Reached $4.88 million in 2024, with U.S. organisations, for example, facing a staggering $10.22 million per incident in 2025 [IBM]. 

• Business email compromise (BEC): This human-targeted fraud caused over $6.3 billion in losses in 2024 alone [FBI Internet Crime Center]. 

• The small business threat: The stakes are even higher for smaller firms – 60% of small businesses shut down within six months of a major data breach [National Cyber Security Alliance]. 

Not only are the financial implications, but a breach also heavily disrupts other areas too. For instance, it affects the workload and focus of many of your teams, you can also lose your client trust and halt the momentum of other big projects that need time and money. This is why making sure your staff are clued up on spotting suspicious behaviour and emails is integral. 

Building a “human layer” strategy

Strengthening the human layer requires moving beyond once-a-year compliance videos. Effective Human Risk Management (HRM) includes: 

• Real-time intervention: Using AI-driven tools that “nudge” users when they are about to make a mistake, such as sending an email to the wrong recipient or uploading sensitive data to an unsecure cloud. 

• Advanced phishing simulations: Moving from basic tests to sophisticated, role-specific simulations. Advanced training can reduce phishing click rates from 20% to just 3.2% [Verizon]. 

• A “no-blame” culture: Lapses in vigilance are often due to cyber fatigue, which now affects 46% of organisations. Encouraging employees to report mistakes immediately – rather than hiding them – is critical for rapid containment [Mimecast]. 

• Regular training and updates: Keep your team skilled on the new threats and technologies, test their knowledge of what to look out for, and make sure they’re aware of their responsibilities for regulatory compliance. 

Improve your human layer security

Technology evolves, and so do cyber threats. But one constant remains – your people. When empowered, informed and supported, they become your strongest defence. They’re the “new perimeter.” By investing in human layer security, you transform your greatest vulnerability into your strongest line of defence. And of course, helps you still compliant with data regulations like GDPR, HIPAA, and ISO 27001 too.  

Need help bolstering your human layer? We can help.  

• Listen to our Human Layer Security podcast episode 

• Listen to our Managing Human Risk podcast episode with expert Javvad Malik from KnowBe4 

• Read our human layer security blog with recommended solutions including cyber security awareness training, phishing simulations, MDR and more. 

• Book a free Seven Layers of Security Assessment with our cyber security expert