You Understand Human Risk. Now Where Is It Showing Up in Your Organisation?

After running our recent webinar with Khetan Gajjar, Field CTO at Mimecast, one thing stood out in the conversations that followed: human risk has moved well beyond the "awareness training" conversation. People get that now.

What came through clearly is that phishing, business email compromise, shadow AI and insider risk are not just technical problems. They're shaped by behaviour, pressure, trust, distraction and the reality of how people actually work day to day.

That matters, because attackers are not just trying to beat your technology. They're trying to influence decisions.

They want someone to approve the payment. Share the file. Scan the QR code. Move the conversation to WhatsApp. Paste the spreadsheet into an AI tool. Click the link because the message feels urgent and familiar enough to be real.

So the question is no longer whether human risk matters. It does. The useful question is where it's showing up in your organisation, and what you can actually do about it.

Human Risk is Not Just a Phishing Problem

Phishing is still the obvious starting point. It's visible, measurable and familiar. Most organisations I speak to have some form of email security, awareness training and phishing simulation in place.

But if your view of human risk starts and ends with "who clicked the link?", you'll miss a lot.

Human risk shows up wherever people are making decisions with incomplete information, under time pressure, across tools that may or may not be well controlled. It shows up when a finance user receives a convincing supplier request. When an employee forwards a document to a personal account because the approved sharing process is clunky. When someone uses a public AI tool to summarise sensitive information because they're trying to get something finished. When a senior leader is targeted because their name, job title and public profile make impersonation straightforward.

None of that is solved by telling people to be more careful. They're already trying to be careful. The problem is that modern work gives attackers more opportunities to make the wrong action feel reasonable in the moment.

Where Human Risk Usually Appears First

In most environments I work with, human risk isn't hidden in one dramatic weakness. It's spread across normal working habits. That's precisely why it can be hard to see clearly.

Email and Impersonation

Business email compromise is one of the clearest examples of human risk playing out in practice.

The attacker may not need malware. They may not need an attachment. They may just need a message that looks close enough to a genuine supplier, colleague or senior leader to get someone to act. Change bank details. Approve an invoice. Move the conversation to WhatsApp where monitoring is weaker.

This is where I'd encourage organisations to look beyond blocked emails and spam reports. The more useful questions are: did the message reach the user? Did they engage with it? Was it reported? Was there unusual sign-in activity afterwards? Did it trigger a business process - a payment, a data share?

Email security matters, but the real risk is often what happens after the message lands.

Identity and Access 

When someone makes a mistake, your identity controls determine how far the damage travels.

That's why human risk and identity risk are so closely linked. If a user enters credentials into a fake login page, strong MFA, conditional access and sensible privilege management can limit what happens next. If accounts are over-permissioned, legacy authentication is still lurking, or privileged access is poorly controlled, a small human error becomes a much larger incident.

The practical steps here are not glamorous: review privileged access, tighten joiner-mover-leaver processes, check MFA coverage, monitor risky sign-ins, make sure people only have access to what they actually need. Basic, yes. But in my experience, basic controls stop a disproportionate number of incidents from getting significantly worse.

Shadow AI

Shadow AI is one of the clearest examples of human risk changing shape, and it's one I'm having more conversations about than anything else right now.

People are not using AI tools to create security problems. They're using them because they work. They help write emails, summarise documents, analyse spreadsheets, prepare notes and cut down repetitive work. For many people, AI is already part of the working day whether the organisation has formally approved it or not.

The risk appears when sensitive information - customer data, commercial documents, contracts, meeting notes - moves into systems the organisation doesn't manage, monitor or fully understand.

The practical response is not to pretend it isn't happening. In most organisations, it is. Start by understanding which tools are being accessed, what guidance people have actually been given, whether approved alternatives exist, and what categories of data should never go near a public AI tool. A policy that simply says "do not use AI" may look tidy on paper. In practice, it tends to push usage further out of sight.

Collaboration Tools

Teams, SharePoint, OneDrive and similar platforms have become the actual working environment for most organisations. They're also where human risk can quietly accumulate.

External sharing, guest access, unmanaged Teams channels, inherited permissions, old project folders, overshared documents - none of this usually happens because someone did something

wildly irresponsible. It happens because collaboration platforms grow quickly and rarely get the same attention on the way out as they got on the way in.

The practical question is whether users can share securely without needing a workaround. If they can't, the workaround becomes the default.

Reporting Culture

This is the part I think still gets underestimated, even in organisations that have invested heavily in everything else.

You can have strong controls, good tooling and sensible policies, but if people are nervous about reporting a mistake, your response is already delayed. A blame-led culture makes incidents worse; not because people become malicious, but because problems stay hidden longer.

If someone clicks a link, shares a file incorrectly or enters credentials somewhere suspicious, you want to know immediately. The earlier it surfaces, the more options you have. That means reporting needs to be simple, visible and - genuinely - culturally safe. The best security cultures aren't the ones where nobody ever makes mistakes - those don’t exist. They're the ones where mistakes surface quickly enough to be contained.

 Practical Ways to Reduce Human Risk 

Once you know where human risk tends to appear, the work becomes: reduce the number of risky moments, and improve how you respond when they happen. That doesn't always mean buying something new.


Make safe behaviour easier than the alternative. If sharing a document securely takes ten steps and a personal account takes two, the process is creating risk. Look for the friction points where workarounds are already building.


Put prompts closer to the moment of decision. A training module completed six months ago won't help someone who's tired and dealing with a convincing request at 4:45pm. A warning before sending data externally, a prompt when interacting with a suspicious message, a clear alert when a payment request looks unusual - these land at the moment they can still change something. But too many warnings become noise, so the goal is useful guidance at the right time, not volume.


Tighten the processes attackers like to exploit. Payment changes, password resets, supplier onboarding, access requests, leaver processes; these are the gaps between people, process and technology that attackers look for. Payment detail changes shouldn't be approved by email alone. Departing employees shouldn't retain access because nobody's picked up the ownership. Good process reduces the reliance on individual judgement under pressure.


Give people approved routes for AI. The organisations that handle this well won't be the ones that say no. They'll be the ones that create enough structure and visibility for people to use AI without putting sensitive information at risk.


Connect the signals. Human risk doesn't sit in one dashboard. Email, identity, endpoint, collaboration, web activity, data protection; they all give you part of the picture, and they're often reviewed separately. A user who fails a phishing simulation might be low risk. A user who fails a simulation, has risky sign-ins, shares sensitive files externally and uses unsanctioned AI tools needs attention. Context changes everything. The more joined up your signals are, the easier it is to focus on what actually matters rather than reacting to noise.


Design security and productivity together. Lock everything down and people can't work properly - and will find workarounds. Leave everything open and you create exposure. The better approach is understanding where the business genuinely needs flexibility, where risk is highest, and where controls can guide behaviour without stopping work.

The Next Step is to Find Your Gaps Before Attackers Do

Human risk is not a reason to blame users. It's a reason to design security around the way people actually work.

The most useful thing to do after reading this is look at your own environment honestly and ask where the pressure points are.

• Where are users most likely to be targeted?

• Where could one mistake cause the most damage?

•  Where are people creating workarounds?

•  Where is data moving without enough visibility?

• Where is AI already being used?

• Where are your controls adding protection, and where are they adding friction?

• Where do your tools give you a clear picture, and where are you stitching things together manually?

Those aren't abstract questions. They're the ones that shape how resilient your organisation actually is.

A TIEVA cyber assessment helps you answer them in the context of your own environment - a clearer view of where exposure exists, which controls are working, and which practical steps should come first.