Throughout 2025, cyberattacks on household-name brands have highlighted the financial, operational and reputational damage caused by a successful breach. As a result, businesses across the UK and Ireland are now determined not to become the next victim of cybercriminals, writes Adam Marrè, Chief Information Security Officer (CISO) for the cyber firm Arctic Wolf.
Advanced malware and shadowy nation-state actors are often seen as the biggest threats. However, the uncomfortable truth is, the human factor remains one of the most uncertain and, therefore, one of the most vulnerable aspects of cybersecurity.
Human vulnerability in defence
Attackers understand it is far easier to trick a person than to defeat a complex security system – a staggering 80% of successful breaches involve a human factor. In fast-paced industries, such as retail where staff are juggling multiple responsibilities, the pressure to be efficient can unintentionally open the door to security lapses. A rushed click on a malicious link in a fake shipping notification, or using the same simple password for multiple systems is all it takes for an adversary to gain unchecked access.
This is especially worrying given employees are three times more likely to click on a phishing link than to report it to their IT or security department. Not because of any malicious intent, but because they are not properly trained, unaware of the risks or simply too busy to exercise proper vigilance. Cybercriminals know this and understand how to turn it to their advantage. They are masters of manipulating human psychology; exploiting curiosity with convincing phishing emails, trust with impersonation tactics and the tendency to take shortcuts with password hygiene.
For sectors which rely on a complex web of suppliers, partners and third-party vendors, a single stolen password can trigger a devastating supply chain attack, impacting countless other businesses. Over 60% of compromised credentials discovered on the dark web stem from the use of weak or reused passwords. Security leaders cannot afford to overlook the importance of human risk in cybersecurity any longer.
Stop the blame game
When workers fear punishment for reporting a mistake, they stay silent. A minor incident though can quickly escalate into a catastrophic breach if unreported. For too long, the industry has fostered a culture of blame, where employees are seen as the weakest link. This is a fundamentally flawed and counterproductive approach.
To truly build resilience, leaders across the UK and Ireland must shift their perspective. Instead of blaming people, we must empower them. This begins with establishing a robust security culture built on shared ownership. It requires moving beyond the annual tick-box training exercise and investing in continuous, engaging security awareness programmes that are relevant to the specific threats employees face daily.
Despite our best efforts, we must also operate with the assumption that mistakes will happen. That is where technology provides a crucial and non-negotiable safety net. A 24×7 Managed Detection and Response (MDR) strategy is essential. It acts as a constant guardian, monitoring the entire IT environment for signs of compromise that may bypass preventative tools. Whether a threat originates from a malicious insider or an accidental click, MDR allows security teams to detect, respond and neutralise it in minutes, before it can escalate into a headline-grabbing breach.
A shift to employee empowerment
Cybersecurity must be a collective responsibility, not just a concern for IT departments. The growing number of breaches targeting human error must be a wake-up call for leaders to shift from a culture of blame and punishment to one of empowerment. By combining a positive security culture with the necessary technological safety net, people can be another line of cyber defence, rather than risk, for businesses across the UK and Ireland.
