The best cyber defence is employee awareness, not technology

Summary

Mimecast’s 2025 State of Human Risk Report and supporting studies show that most data breaches are caused by people, not technology. A tiny proportion of staff (about 8%) create the lion’s share of risk, often through password reuse, using work email for personal services or poor handling of credentials. Technical vulnerabilities usually expose deeper cultural and training gaps within organisations. The article argues that HR — not just IT or a standalone CISO — should own security awareness, reframing training as professional development and leadership training rather than box-ticking compliance.

Practical recommendations include regular, realistic and measured training (micro-learning and simulations), creating psychological safety so staff report mistakes, building security into performance and career pathways, and close HR–IT partnership to embed security into recruitment and leadership development.

Key Points

95% of data breaches now involve human error; human risk is the dominant vulnerability.
Just 8% of employees account for roughly 80% of cybersecurity incidents — targeted interventions can yield big gains.
Training reduces breach costs significantly: organisations with strong awareness programmes see materially lower incident costs.
Security awareness should be reframed as professional development and leadership training, not merely compliance.
Psychological safety is essential: staff must feel able to report mistakes so organisations can respond fast.
Effective training is regular, realistic, measured and integrated into culture and performance reviews.
HR should partner with IT on recruitment, career pathways, incident response leadership and security champion programmes.

Context and Relevance

This piece is important for HR leaders, CISOs and senior management who are grappling with rising insider risk. It reflects a broader trend: organisations are discovering that heavy investment in perimeter technology hasn’t eliminated breaches because the weakest link remains people and culture. The article links research from Mimecast, IBM, Proofpoint and Ponemon to make a financial and operational case for shifting responsibility — or at least partnership — to HR. If your organisation is investing in security tech but not embedding people-focused change, this article explains why that approach is failing and what to do about it.

Why should I read this?

Because it’ll save you from another expensive wake-up call. The piece cuts through the tech-noise and tells HR and leaders exactly where to focus: training that actually sticks, culture change that encourages honesty, and simple HR levers that massively reduce risk. Short version — fix the people side and your tech will finally get the return you paid for.