Get the latest cyber news and updates straight to your inbox.

The Biggest Cybersecurity Threat Isn’t Who You Think It Is

Your organisation’s greatest security risk isn’t a shadowy hacker in a hoodie – it’s the well-meaning employee who shares passwords to meet a project deadline, uses Dropbox because the approved file-sharing system is too slow, or clicks on a phishing email from what appears to be a trusted colleague. This uncomfortable reality emerged as the central theme in our recent webinar, "Hiding in Plain Sight: The Cyber Risks Built Into Your Daily Operations," where I joined fellow cybersecurity experts Petra Vincent and Matthew Wylie to dissect how everyday business practices create the vulnerabilities that attackers exploit most successfully.

The Human Factor: Your Biggest Asset and Liability

“Human risk is usually not from bad actors,” explained digital strategist Petra Vincent during the discussion. “It usually comes from when someone’s trying to find an easier route, when teams are incentivised to move really fast without any guardrails, and then they start to bypass controls.”

The scenarios are painfully familiar:

Team members sharing passwords when there aren’t enough software licenses

Employees writing down passwords and incrementally changing the last digit

Remote workers bypassing security protocols to complete urgent tasks

Staff using unauthorised tools like WeTransfer when official systems are overly restrictive

As I pointed out during our discussion, this creates a dangerous disconnect: “You can sometimes end up with this big disparity between what the leadership team think is happening and what’s actually happening on the ground.”

Why Traditional Security Training Fails

The webinar panel unanimously agreed that annual security training (the checkbox exercise most organisations rely on) simply doesn’t work. Instead, they advocated for frequent, bite-sized training that creates real accountability.

Vincent shared an effective approach from her previous firm: “We would do phishing tasks at least once a week, randomised across the firm. After something happened three times, then you would have to take some form of training. We had things where if you didn’t take this training, your email would get shut down by the end of the day.”

The key is making security part of the organisational culture rather than an annual obligation. When employees understand the real-world consequences of their actions and feel safe reporting mistakes, organisations can close security gaps before they become breaches.

Curious about your firm's weak spots?

Our free cyber risk tool shows you what attackers can see about your organisation

Try Our Free Cyber Risk Assessment Here

The Evolution of Phishing: Beyond Email

Phishing attacks have evolved far beyond the poorly-written email scams of the past. Modern attackers use AI to craft sophisticated, personalised attacks across multiple channels:

SMS phishing targeting mobile users with fake toll notifications or urgent requests

Voice phishing using AI-generated voices that sound convincingly human

Business email compromise leveraging already-compromised accounts to target colleagues and partners

Supply chain phishing, where attacks come from trusted business contacts whose systems have been breached

Matthew Wylie, who provides Virtual CISO services for FoxTech clients, shared a recent example of how these sophisticated attacks succeed: “The reason it was successful was because one of their contacts had been compromised. The email came from a trusted source, someone they dealt with day to day. They didn’t know that their account was compromised.”

Even with good training, click-through rates on phishing simulations typically run 4-5%. In an organisation of 500 people, that means 20-25 employees will likely click on any given phishing email that gets through filters.

The MFA Misconception

Multi-factor authentication (MFA) is essential, but not all MFA methods provide equal protection against bypass techniques. Simple MFA methods like SMS codes or emailed passcodes can still be harvested by sophisticated phishing kits that immediately use captured credentials.

The webinar emphasised investing in phishing-resistant MFA – hardware tokens, passkeys, or Windows Hello for Business – particularly for privileged accounts. As I explained during the discussion: “These are tightly coupled to the URL on which you log in. Even if you went to a malicious site, your hardware encryption key would not release the required credential to the phishing site because it’s on a different URL.”

For organisations concerned about cost, hardware tokens can be as inexpensive as £5 per user – a minimal investment compared to the potential cost of a breach.

Shadow AI: The New Frontier of Data Exposure

The rapid adoption of AI tools has created a new category of risk: shadow AI. Employees frustrated by organisational restrictions on AI tools often resort to copying sensitive information into personal ChatGPT accounts or other unauthorised platforms.

“We saw when AI first came out, some companies just immediately put the doors down and said no, you cannot use it,” noted Wylie. “There wasn’t really an acknowledgement that these tools are really useful, but you need to understand the risks they bring.”

The solution isn’t blanket prohibition but providing approved AI tools with proper data controls, such as Microsoft Copilot configured to use only organisational data, combined with technical controls like data loss prevention software to monitor for sensitive information leaving the organisation.

Want to explore these insights further?

You can listen to the complete 60-minute discussion, including detailed technical recommendations and Q&A with the expert panel.

What Happens After the Click

Understanding the attack progression helps organisations prepare better defences. After successful credential theft, attackers typically:

Sell access to other criminal organisations specialising in different attack types
Conduct reconnaissance to understand the victim’s business processes and high-value targets
Attempt lateral movement to compromise additional accounts and systems
Execute the payload – whether ransomware, financial fraud, or data theft

This process can take months, during which the attacker quietly explores the environment. Organisations relying on standard Microsoft 365 logs (which retain data for only 30 days) often cannot investigate the full scope of a breach once discovered.

Practical Steps You Can Take Today

The webinar panel offered three immediate actions every organisation should implement:

Conduct security archaeology – Find out what people are really doing versus what policies say they should do
Enable comprehensive logging – Ensure you can investigate incidents beyond standard 30-day retention periods
Plan for credential compromise – Develop procedures for what happens when (not if) user credentials are stolen

Additional recommendations include abandoning forced 90-day password changes in favour of unique passwords per site, implementing phishing-resistant MFA for critical accounts, and establishing security working groups where employees can safely report concerns.

Understanding Your External Risk Profile

One practical tool mentioned during the webinar is FoxTech’s free Cyber Risk service, which uses open-source intelligence to show organizations what attackers can see about their external digital footprint. Having analysed over 20,000 organisations, this service provides a benchmark for where your organisation stands relative to others in terms of external vulnerabilities.

Want to learn more on how to strengthen your defences?

Get in touch to find out more about our comprehensive security services

The Bottom Line

Cybersecurity is fundamentally a human problem that requires cultural solutions alongside technical controls. Even the most sophisticated firewall cannot protect against an employee who clicks a convincing phishing email or uploads sensitive data to an unauthorised AI tool.

Organisations that acknowledge this reality and work to align security policies with how people actually work – rather than how they wish people would work – create more resilient defences against the threats that matter most.

anthony.green

A CREST Practitioner and a recognised thought leader in cybersecurity, Anthony has designed and implemented some of the most secure systems in the UK. Working with the largest global corporations, advising Government on security best practice as well as small and medium businesses throughout the South East.

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.

Cookie	Duration	Description
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_228506841_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.

Contents

Newsletter