The human factor: why cybercrime succeeds and how you can protect your organisation

Organisations are spending billions on cybersecurity technology. But social engineering – tricking people into doing something they shouldn’t, like clicking a link or opening an attachment that looks like it’s from someone they trust – is still a major threat.

Phishing emails, or scam emails, don’t always work. In fact, they fail most of the time. But cybercriminals only need to fool some of your people some of the time to succeed.

Cyber attackers are skilled at manipulating human behaviour. While email filtering, endpoint protection, and detection technologies have improved, phishing remains the most effective way to attack and shows no signs of slowing down.

Social engineering is the biggest cyber security threat

Phishing is the top cause of cyber incidents in the UK. Government-backed surveys show that over 80% of organisations report phishing as the main reason for breaches.

Every day, billions of phishing emails are sent worldwide. It’s a cheap and scalable tool for cybercriminals. Phishing works because anyone can make a mistake when a credible looking scam email arrives.

Why phising dominates the cyberattack threat horizon

Gone are the days of poorly written, obvious scam emails. Modern phishing uses:

• Brand impersonation to make it look like an email from your organisation or a trusted vendor
• Awareness of what is happening in your organisation
• A sense of urgency
• AI-generated content

This is why social engineering is so effective. Cybercriminals attack trust before the system.

Is cyber awareness training enough?

Most organisations offer regular cyber awareness training. While this is well-meaning, it often ticks a compliance box rather than reducing real-world risks.

Tracking completion rates is easy, but changing behaviour is harder. Human behaviour is unpredictable, and knowing what phishing is doesn’t guarantee you’ll spot a scam during a busy day.

The key metric is reporting times

Phishing simulations are common, but they often focus on click rates. While fewer clicks are good, the real measure of resilience is how quickly employees report suspicious emails.

Fast and frequent reporting can significantly reduce the impact of phishing attacks. Organisations that encourage reporting without blaming employees turn potential victims into active defenders.

Cyber awareness training should be tailored to users

A one-size-fits-all approach to training doesn’t work. Explaining what malware or ransomware is won’t help employees make better decisions in real situations.

Recent attacks on brands like Marks & Spencer and Gucci show how attackers target human behaviour. They don’t just use phishing emails but also vishing – voice phishing – where employees are manipulated over the phone.

In vishing, one unsuspecting employee can cause an incident costing millions.

Awareness training needs to evolve. Employees should learn:

• How they might be targeted
• Where threats come from (e.g., untrusted websites, unexpected attachments, urgent phone calls)
• What’s expected of them when using corporate systems

Effective awareness training should align with the Acceptable Use Policy. Policies set expectations, and training should make them actionable. Without this link, training becomes abstract and forgettable.

Acceptable Use Policies shouldn’t be static documents reviewed once a year. They should be reinforced regularly through targeted activities that explain:

• What employees should do
• What they shouldn’t do
• Why these rules exist in today’s evolving threat landscape

Cybersecurity: a system of interconnected controls

Strong cyber protection isn’t about just one solution. Real security comes from combining:

• clear and practical processes
• proactive and reactive technology
• a well-informed and empowered team

Spending a lot on expensive tools but ignoring human behaviour leaves a big gap. Similarly, training people without the right technology and processes won’t work well. These elements need to work together, like parts of a well-tuned engine.

The UK National Cyber Security Centre (NCSC) supports this layered approach. It highlights the importance of not just blocking harmful emails but also building resilience for when attacks get through.

Cyber criminals often target human behaviour because it’s the easiest way in to your organisation. But this doesn’t mean people have to be the weakest link.

With the right approach your team can become a strong first line of defence, including:

• regular, bite-sized learning
• role-specific training
• a strong culture of reporting
• clear rules for acceptable use

This approach fits well with the Zero Trust philosophy: never assume, always verify, and design controls that account for human mistakes while helping people make better choices.