Why Your Biggest Cybersecurity Risk Is Sitting at a Desk

The human factor in business security and what you can do about it.

When most business owners think about cybersecurity they picture servers, firewalls, and IT teams. Yet the uncomfortable reality is that the most common way criminals gain access to systems is not by breaking the technology. It is by manipulating the people who use it.

This is not a criticism of staff. Cybercriminals have become increasingly sophisticated. They study businesses, mimic colleagues, and craft messages designed to look completely legitimate. In fact, nearly 43% of cyberattacks are aimed at small and medium sized businesses, precisely because larger organisations tend to have more visible defences. Smaller businesses can therefore appear to be easier targets. Understanding how people are targeted is an essential step in defending against these attacks.

The consequences of getting this wrong can be serious. A single cyberattack can disrupt operations, cause financial loss, and damage the trust that has been built with customers and partners. In some cases businesses take years to recover. The encouraging news, however, is that many attacks succeed because of predictable and preventable behaviours. Those behaviours can be changed.

The most common human mistakes

Research consistently shows that human error is involved in the vast majority of data breaches. The behaviours that create risk are often simple and familiar, and many businesses will recognise them:

• Falling for phishing emails — messages that appear to come from a trusted source but are designed to steal login details or install malware.

• Reusing the same password across multiple accounts, meaning one compromised login can open access to several systems.

• Ignoring software update prompts, leaving known security vulnerabilities unaddressed.

• Sharing passwords between team members, making it impossible to track activity or revoke access when someone leaves.

• Not locking screens in public or shared spaces, increasing the risk of both data theft and device theft.

• Delaying the reporting of an incident, which can significantly increase the cost and complexity of the response.

None of these behaviours reflect a lack of intelligence. They are usually habits that develop in busy workplaces. The challenge for many organisations is that these habits persist when processes are unclear, reporting is discouraged, or security is viewed as someone else’s responsibility.

Why phishing remains the top threat

Phishing attacks have existed for decades, but they have become far more convincing. In the past, suspicious emails often contained obvious spelling mistakes or unusual requests. Today’s attacks are more carefully prepared. Criminals research organisations, learn internal language, and send messages that closely resemble genuine communication from colleagues, suppliers, or banks.

The objective of a phishing attack is straightforward. The attacker wants someone to take an action they would never take if they knew the request was fraudulent. The practical defence is equally straightforward: pause, verify the request, and never act purely on urgency.

Voice phishing, known as vishing, is also becoming more common. A caller who appears to be a senior colleague or someone from a bank can be persuasive, particularly if the request sounds urgent. These calls often rely on pressure — urging someone to act quickly, transfer funds, or share login information. Teaching staff to treat any unexpected request for money or system access as a warning sign is an important safeguard.

It is also worth noting that ransomware — malicious software that locks files and demands payment to restore access — is frequently delivered through phishing attacks. Often it arrives through an email attachment or a link that installs software in the background. For this reason, staff awareness and training are not optional extras. They are one of the most important lines of defence available to a business.

Building a security aware culture

Technology alone will not solve this problem. What often makes the difference is a workplace culture where employees understand the role they play in protecting the business.

This does not require complex programmes or technical language. It begins with straightforward conversations within the organisation. Staff should understand the risks the business faces, what warning signs to look for, and who they should contact if something seems unusual.

It is equally important to make it clear that reporting concerns is always encouraged. Even if the concern turns out to be a false alarm, the cost of checking is minimal compared to the consequences of a breach that goes unreported.

Regular training also plays an important role, but it should be practical and relevant to the organisation. Generic awareness sessions are quickly forgotten. Realistic examples that reflect how an attack might actually appear within the business are far more effective.

Some organisations also run simulated phishing exercises with the help of specialist providers. These tests can reveal how easily even experienced staff can be caught by a well designed message. Discovering this during a controlled exercise is far preferable to discovering it during a real attack.

Action steps

• Start a conversation with your team about phishing. Show a real example and ask whether they would have recognised it.

• Establish a clear and supportive process for reporting suspected incidents.

• Check whether team members are sharing login credentials and ensure that this practice stops.