2025 has been a very difficult year for businesses when it comes to cyber security. From the familiar high street presence of Marks & Spencer and Co-op to global giants like Mailchimp and Hertz, cyber attackers continue to show little mercy, escalating their campaigns and targeting organisations of every size with increasing ferocity.

We’ve seen a security landscape dominated by sophisticated AI-powered scams, insidious social engineering tactics, and devastating supply chain breaches, collectively putting millions of customer data – and their capital – at risk.

Recent reports[i] showcase that even the UK’s tax, payments and customs authority isn’t immune, with HMRC falling foul to a breach after becoming a victim of a phishing attack, with scammers stealing £47m from the online accounts of 100,000 people after posing as taxpayers.

Cybercrime certainly isn’t standing still then – it’s evolving at an alarming pace, with attackers leveraging advanced techniques to bypass even your best technological cybersecurity defences.

Recent events offer sobering lessons for all business leaders. Between April and May 2025, a single breach plunged Marks & Spencer into six weeks of chaos. What began as a seemingly innocuous phishing attack on an outsourced IT contractor spiralled into a full-blown ransomware incident. The hackers managed to:

• Trick a third-party support user.
• Gain administrative access by stealing hashed passwords.
• Deploy ransomware across over 600 systems.
• Shut down M&S online sales for over a month.
• Access personal customer data.

Do a quick Google search for ‘recent cyber security breaches’ and you’ll be welcomed by a return of published press cases[ii] showing that cybercrime incidents are now almost a daily occurrence. Councils, the NHS, airlines – they’ve all fallen victim recently. Yet, attackers don’t care whether you’re a global enterprise or a smaller operation. In fact, most cyber-attacks, regardless of the size of the organisation, often rely on the same fundamental tools and principles: phishing, ransomware, and exploiting human error – and attackers are increasingly becoming incredibly adept at manipulating the latter point in particular.

If you want absolute proof, here’s a statistic from a House of Commons Research Briefing report [iii] (published May 2025) that should make every business leader stop and pause for thought: An estimated 95% of cyber-attacks succeed due to human error, encompassing both ‘active’ errors, like someone opening a malicious email attachment, and ‘passive’ errors, such as using weak passwords.

Further insights from the GOV.UK Cyber Security Breaches Survey 2025[iv] only underscore how pervasive this threat truly is:

• A significant 20% of businesses and 14% of charities experienced at least one cybercrime in the preceding 12 months. That’s approximately 283,000 businesses and 29,000 registered charities affected.
• Phishing remained, by far, the most common type of cybercrime, impacting a staggering 93% of businesses and 95% of charities that reported an incident.

In fact, this issue is so prevalent that the UK Government has even proposed introducing a ‘cyber duty to protect’, which would place greater responsibilities on organisations managing online personal accounts. While we await the government’s response to this consultation, the very discussion highlights the urgent need for enhanced organisational accountability and more robust governance practices.

And, if you want a real-world impact story of how easy it is to break through your ‘people defence’, The National Cyber Security Centre[v] (NCSC) provides a compelling example in the House of Commons Research Briefing report that perfectly illustrates this.

1,800 emails containing malware were sent to a financial services firm, claiming to be about an invoice that needed urgent attention:

• Their email filtering system was effective, blocking 1,750 emails by detecting the malware in the attachment.
• Of the 50 emails that managed to bypass the filters and reach employees’ inboxes, a commendable 36 were correctly ignored or reported.
• However, 14 attachments were clicked, releasing the malware.
• Fortunately, 13 of these attempted malware installations were blocked because the users’ systems had the latest security updates.
• Ultimately, malware successfully infected just one device. Luckily, it was detected and the device quarantined before the malware could spread.

But it’s not just fallible lapses of human judgement being targeted. Attackers also frequently exploit poor cyber hygiene to gain access to devices and systems. Weak passwords, for instance, are an open invitation for breaches. They can be guessed using readily available tools that employ a ‘brute force’ approach, trying common passwords until the correct login credentials are found.

NordPass[vi], a password management service provider, analysed data from 44 countries and found that over 80% of the top 200 most commonly used passwords could be cracked in less than a second. The most popular passwords? Yep, you guessed it: ‘123456’ closely followed by ‘password’.

So, given that we know that human error contributes to 95% of cyber breaches – and that 78% of Chief Information Security Officers (CISOs) in the UK agree that human error is their organisation’s biggest cyber vulnerability[vii] – we have to ask an important question: Why, with this seemingly irrefutable evidence and acknowledgement from CISOs that employees pose the greatest risk, are organisations not doing more to keep the issue front and centre of mind, improve workforce competence, and treat it as a quantifiable KPI?

Further still, why is it that employees – despite receiving (often) repetitive and continual training – still manage to make remedial cybersecurity errors, inadvertently exposing the employer (and their customers) to increased risk, providing an open door into the employer’s data and systems?

Adrian Harvey, Chairman and Co-founder of Elephants Don’t Forget, believes that the reason firms remain so susceptible to cybercrime is fundamentally cultural. He argues that whilst business leaders understand the threat, this rarely translates into appropriate action, with many employees mistakenly believing cybersecurity is solely the IT team’s responsibility.

As Harvey states:

“I think the reason firms are so susceptible to cybercrime is cultural. If you ask most rank-and-file employees, ‘Who owns cyber security?’, they’ll likely say, ‘The IT team.’ On the other hand, whilst business leaders undeniably understand the threat posed by cybercrime, that understanding doesn’t translate into appropriate action. We’re at war with cyber criminals, yet I rarely come across a business where employees know they are on a war footing.

Cyber security is the responsibility of every employee, not just the technical experts in IT. And attitudes need to change. If the threat were more physical and personal, employees would likely be far more vigilant. For example, if there were a load of hungry tigers prowling around the business park, I suspect employees would never forget to follow the firm’s ‘anti-tiger policy’. Employers and business leaders need to change their attitude and help employees view cyber on the same level as ‘tigers in the car park!’

True, it isn’t easy, or indeed quick, but it is entirely possible. I do wonder, however, if leaders over-rely on technology solutions and hope that the technology stays ahead of the criminals. The reality is that it will always be behind, so technology is only part of the defence. Your people are the other part.

When I worked at Eon, the German energy giant, they had an employee safety issue. They solved it by making sure that the number one agenda point for EVERY meeting and staff gathering, whatever the subject, was employee safety. The programme was called ‘One’, in reference to the number one agenda point. Eon went to war on unsafe working practices and soon became renowned as perhaps the safest working environment within the industry. What gets measured continually gets done – and that’s indicative of the mindset I think all organisations need to take with cyber security.

What’s required is an effective and objective way to continually assess and improve the cyber competence of employees and the ability to utilise that data as a leading indicator to identify potential failure points. This needs to be done whilst simultaneously keeping cyber security front of mind AND making it relevant and personal to individual employees.

Simply conducting yearly, monthly, or ad-hoc exams, where achieving a pass rate is frankly meaningless (and somewhat insulting to employees) is grossly inadequate. Similarly, simulated phishing attacks serve a purpose and are a valid component of a defence strategy, but in isolation, they obviously don’t work.

Organisations are, in my opinion, focusing on the wrong outcome. It’s not about whether training has been delivered or passed; it’s about whether your employees are genuinely competent and vigilant as a result, and most organisations simply cannot measure this. If competence were intelligently assessed and used as a KPI, organisations would benefit from the ability to forecast future vulnerabilities and risk.

The escalating cost of cyber security insurance, which has increased tenfold, directly reflects the ineffectiveness of UK PLC’s cyber defence. What is needed is the continuous conditioning of employees to develop their competence, keep the war front and centre of their minds, and provide them with the necessary support to genuinely become the first line of cyber defence.

No matter how well the IT function deploys technology to shield the employer, incompetent employees are going to continue to leave the door open and put the business at risk. The data speaks for itself. 95% of successful attacks occur not because the IT function doesn’t have the right software and policies in place, but because an employee left a metaphorical door wide open for a hacker to walk through and raid the business.

And the hard truth for the C-suite is essentially this: If the competence of your employees, viewed as a KPI and leading indicator of risk, isn’t a regular item on your board agenda, then you’re operating with a dangerous blind spot. It’s a vulnerability just waiting to be exploited.”