Human error is the single biggest variable in your security posture. The latest tools and settings will reduce most malicious attacks, but we all know that cybersecurity settings can and will break down where people get involved in the process.
That’s why your internal IT managers can’t treat “human risk” as a side project or a training tick box.
It’s also why your HR teams need to become involved in your cybersecurity defence strategies.
We believe that businesses in Suffolk and Essex need to change the way they think. Protecting yourself against harmful digital threats isn’t about asking “Do we have the right technology?”
It’s time to change the question to “How do we systematically reduce human-driven risk across identity, access and day-to-day decisions?”
As you continue reading this guide, you’ll learn how to benefit from a practical, four-step framework. You’ll learn how to identify higher-risk users, harden identity and least‑privilege, embed security culture with HR, and use co-managed support to free your specialists for strategy.
It’s how Suffolk and Essex businesses can move from reacting to incidents to measuring and reducing human cyber risk month after month.
Why human errors continue to dominate today’s data breaches
Industry research continues to show troubling statistics.
The Verizon 2025 Data Breach Investigations Report confirms that “60% of breaches involved a human element”.
In their ‘2025 State of Human Risk’ report, Mimecast states that “Just 8% of employees account for 80% of incidents.”
It may come as no surprise to learn that phishing scams and social engineering are the leading causes of cybersecurity and data protection issues. After all, today’s phishing scams are incredibly sophisticated, and hackers can now use generative AI to create hundreds of spoof emails every second.
Want proof?
According to data released by the ENISA Cybersecurity Threat Landscape Report 2025, “Phishing continues to be the primary method for initial intrusion, accounting for 60% of observed cases.”
The three human behaviours that drive most cyber incidents include phishing, credential misuse and fatigue.
Most cyber incidents fall into three predictable categories of behaviour. For internal IT teams, understanding these patterns makes it much easier to reduce risk, adjust permissions, and design the right interventions.
Human Behaviour #1: Being tricked
This happens when employees are manipulated into taking an action that looks legitimate but isn’t. It’s commonly found in highly convincing phishing and social engineering attacks, as well as in AI-generated emails that imitate clients, suppliers, or colleagues. People can also be tricked through malicious links or attachments disguised as routine communications.
These attacks exploit trust, urgency, and authority, which is why they are behaviour-led rather than technology-led.
Human Behaviour #2: Being careless
These behaviours aren’t malicious, but they dramatically widen the attack surface. It’s where employees use weak or reused passwords, or experience MFA fatigue and fail to read clear notifications. It could also include mishandling sensitive data, such as emailing files externally or storing them in unapproved locations. This is why your HR team needs to be involved. Such carelessness is usually a symptom of convenience pressures, not intent.
Human Behaviour #2: Feeling overwhelmed
In these circumstances, your team might be dealing with cognitive overload, hybrid working and unclear expectations, all of which contribute to frequent mistakes. These problems might arise when your team regularly switches between multiple devices or networks, rushes between tasks, clicks without checking, or works from outdated or unclear policies, especially in remote and AI-enabled work environments.
These are organisational issues, not user failings, and they’re often the easiest to fix.
Supply chain and partner risks are also major concerns in cybersecurity.
It’s not just your own staff you need to worry about. It’s also the employees of all of those within your wider supply chains.
Carefully constructed ecosystems are great for productivity and efficiency, particularly when you are working across a network of closely intertwined partners, from manufacturing and logistics to customer-facing outlets. But those ecosystems increase the number of entry points and vulnerabilities that can get into your system.
Recent incidents in UK retail show the cost of human lapses. After all, Marks & Spencer publicly linked its major outage to human error and third-party access, with reported impacts approaching £300m. This is a scary reminder that a single lapse can quickly sweep across complex supplier networks.
And here in Suffolk, we have a fantastic example of such a collaborative ecosystem on our doorstep with the Sizewell C supply chain. Within that framework, there will be a mix of tier 1, tier 2, and tier 3 contractors who will work together on the new development of a nuclear power station. Clearly, the security credentials of everyone within that framework must meet the highest possible defence standards.
As the ENISA Cybersecurity Threat Landscape Report 2025 says, “Adversaries also exploit the digital supply chain by compromising software, open-source repositories, or deploying malicious browser extensions.
Why your IT support team cannot solve your human cyber risks alone
If you’ve read any of our recent blog posts, you’ll be aware that we believe that cybersecurity should be a shared responsibility.
We believe your internal IT departments should work closely with your HR teams to foster positive work cultures where individuals feel confident reporting potential breaches.
It’s about working collaboratively so that employees learn how to change their behaviours. At Lucid Systems, we offer phishing simulation training for businesses in Suffolk, helping you identify who is most likely to fall for a hypothetical scam. But that’s only part of the problem. It’s down to workplace culture to ensure that staff recognise the value of these exercises and that they are there to protect them (personally as well as professionally), rather than being seen as a tick-box exercise.
Another issue to contend with is the general workplace fatigue and cognitive overload that employees may experience. It could be tiredness that leads to mistakes, such as opening a malicious email or failing to change a password when reminded. They might be working from unclear or outdated policies that do not account for today’s hybrid workplace or common AI usage.
A four-step framework to reduce your risk of cybercrime
Now that you know what common human behaviours are and why they might occur, you can take steps to address them.
From a human perspective, we think these are the key elements to focus on to minimise risks and reduce weaknesses.
Step #1 – Identify your high-risk users.
If Mimecast is correct and 80% of incidents are caused by 8% of individuals, the first step is to identify those high-risk users.
You can do this through repeated phishing simulation training sessions and through face-to-face training seminars and workshops. If those individuals keep making the same mistakes, you need to understand why. Perhaps it’s because their workload is too high, or they need additional help and support elsewhere.
Step #2 – Reduce your risk factors
This is your opportunity to establish zero trust and least-privilege access. If you know who the risk users are, minimising what files they have access to could prevent a malicious hacker from making their way through your system undetected. You should also implement stronger password policies and require MFA for all users. This is where you can use your behaviour analytics to examine how an employee works so that you can limit those risks accordingly.
Step #3 – Embed a security culture with HR
As we mentioned, you need a security culture that focuses on positive reinforcement rather than the blame game. You want your employees to feel confident admitting when they’ve made a mistake, to know how to report a potential incident, and to know whom to report it to.
When it comes to cybersecurity, time is always of the essence, so you need a team that is comfortable admitting mistakes without fearing the consequences.
Step #4 – Co-managed IT support partner to free your team for strategy
Dealing with cybersecurity issues is a never-ending task, and you might be struggling to handle an endless number of incidents while also managing your typical IT helpdesk tasks.
Don’t be afraid to work with a co-managed IT support partner, such as Lucid, to provide the additional capacity you need. Your internal IT management can focus on governance and strategy, while we handle the minutiae of password management, phishing simulation training or even support you with penetration testing. We can provide all the KPIs you need to take to your senior teams to justify any increase in cybersecurity defence budget.
Technical safeguards & board-level KPIs that prove your cybersecurity progress for IT leaders in Suffolk & Essex
Alongside this human-risk framework, if you’re a business in Suffolk or Essex, we recommend that your in-house IT team prioritise the following technical safeguards.
- MFA implementation. This needs to be mandatory for all passwords that grant access to your system. It may be frustrating for individuals, but it is one of the strongest defence mechanisms you can put into place.
- Password protection. A weak password is at the heart of many cyber incidents (something that The Louvre came to regret), so you must have detailed password policies in place. Automating monthly password changes can be an effective way to ensure all users adhere to the policy.
- Phishing simulations & baseline failure-rate KPIs. Phishing simulation training is more than just a pass/fail mechanism. It gives you the opportunity to monitor your failure rates, identify high-risk individuals, and assess whether your workforce is improving at protecting themselves online.
- Look at your access settings. You should always apply the concept of “least access” to every single member of staff (regardless of seniority). Ensuring that everyone has access to the bare minimum means that if someone did break through your metaphorical door, they would very quickly meet a new barrier.
- Review of risky software access. If you’ve installed any new software into your system, or a new plugin into your website, make sure that you review them to confirm that you haven’t inadvertently created a weakness that could be exploited.
- Reporting dashboards for directors. Many Suffolk and Essex businesses believe that hacking is something that happens to others. We recognise that it’s hard to justify further investment in cybersecurity when nothing has gone wrong. But that’s exactly why you need reporting dashboards in place: to track what you are being protected from and demonstrate your continual progress. These reports could be essential documentation if you were hacked and needed to defend yourself against a data breach.
Where Lucid fits as your co-managed security partner
Our expertise in identity governance, combined with practical sector-specific insight across retail, professional services, and logistics, enables us to understand the real-world pressures your teams face. And we never lose sight of the vulnerabilities that can emerge.
By aligning HR‑led awareness programmes with threat-led monitoring, we help create a workforce in Suffolk and Essex that is confident, supported, and alert to the risks around them. And with our focus on zero‑trust maturity and improving your Microsoft Secure Score, we can give your internal IT leaders the uplift they need to protect your organisation today while building resilience for tomorrow.
If you want a partner who will strengthen your identity security, support your risk-prone users, embed a security culture with HR, and give your board meaningful KPIs, then Lucid is ready to step in as your co-managed security partner.
