Human Risk: The Real Security Perimeter
For twenty years security was about the edge of the network. That edge has dissolved, and the attacks that land now almost all run through people, their inboxes, their habits, their mistakes, and sometimes their intentions. Here is an honest look at why human risk is the centre of security now, and a practical way to think about reducing it.
If you map where real incidents start, a pattern is hard to miss. The firewall held. The endpoint was patched. The breach still happened, because someone trusted a convincing message, reused a password, was tricked into moving money, or carried a folder of data out of the door on their last day. The technology did its job. The human layer is where the exposure now sits, and most security budgets are still weighted toward the parts of the estate that attackers no longer bother with.
This is not a comment on your people. It is a comment on where the contest has moved. So let us start with the honest landscape, then a way to think about the controls, and only at the end, briefly, how we tend to help.
The perimeter moved, and most defences did not
The old model had a clear inside and outside. Work happened on managed devices, on the corporate network, behind a firewall. Security was a wall, and the job was to keep the wall intact. That world is gone. Work now happens on laptops at home, on phones, in browser tabs, across dozens of cloud applications, through identities that log in from anywhere. There is no edge left to defend in the old sense.
What has not moved nearly as fast is where organisations spend and where they focus. Plenty of estates still pour effort into network controls while the actual entry points, the inbox, the identity, the collaboration tool, the person under time pressure, get a fraction of the attention. Attackers have noticed. They do not break in through the wall any more, they log in, or they ask someone to let them in.
The question is no longer only "is my infrastructure secure". It is "what happens when a capable, well crafted message reaches a busy, trusting person", because that is the event almost every modern attack depends on.
What human risk actually means
Human risk is a broad term, and treating it as one thing is the first mistake. It is several distinct problems that happen to share a common factor, a person in the loop. Pulling them apart is what lets you address each one properly rather than buying a single tool and hoping it covers everything.
Email and social engineering
The most common entry point
Phishing, business email compromise, payload and link based attacks, and the impersonation that talks a person into a payment or a password. Still the single most common way an attack begins.
Everyday mistakes
No malice required
The misaddressed email, the file shared with the wrong link setting, the sensitive data dropped into the wrong place. No attacker needed, just a normal person moving fast through a normal day.
Insider actions
Data leaving the business
The departing employee taking client lists or designs, the contractor with more access than they should have, occasionally the genuinely malicious insider. Perimeter tools are blind to most of it because the person is already trusted.
Collaboration and SaaS
The newest surface
Teams, Slack and the wider SaaS estate now carry sensitive conversation and data, and threats increasingly move through them. Most organisations secure email far better than they secure chat.
Identity and access
The keys to everything
Weak, reused or phished credentials, and access that was granted once and never reviewed. Identity is where a human mistake turns into an attacker with a valid login.
Why the human layer is now the primary target
Three things have made people the target of choice. First, the other doors got harder. Patching, endpoint detection and network controls genuinely improved, so the cheapest route in shifted to the person. Second, the tools of deception got better. Convincing lures, cloned sites, and now AI generated messages with no spelling tells and a plausible tone have removed the obvious giveaways people were trained to spot. Third, the attack surface multiplied. Every new application, every remote worker, every integration is another place a person can be reached or can slip.
The uncomfortable implication is that awareness alone cannot carry the load. Training matters, but expecting every person to spot every well crafted attack, every time, under pressure, is not a strategy. It is hoping. The aim is to reduce how often the dangerous moment reaches a person at all, to catch it when it does, and to limit what one mistake can cost.
The categories of control that actually help
Once you have separated the problems, the controls sort into a small number of layers. No single product spans them, and any vendor that says otherwise is selling. A sound human risk posture combines:
- Stronger email defence than the built in filter, to stop more of the phishing and business email compromise that gets through basic checks. Covered in is your built in email security enough.
- Insider risk visibility, so data leaving the business through personal cloud, USB or a departing employee is seen and understood, not discovered later. Covered in managing insider risk.
- Collaboration security, extending the protection you already apply to email across Teams, Slack and the SaaS estate. Covered in securing collaboration tools.
- Identity and access hygiene, strong authentication and access that is reviewed, so a phished credential does not hand over the estate.
- Awareness and culture, used well, to raise the floor and build the habit of reporting, not as the only line of defence.
- Governance and recovery, clear ownership of the risk, and the resilience to recover when something does land. See owning security risk and ransomware resilience.
Does it reduce how often a dangerous moment reaches a person, catch it when it does, or limit the damage of the mistakes that get through. If a proposed purchase does none of those three, it is not addressing human risk, whatever the label on the box says.
Tools are half the answer, ownership is the other half
It is tempting to treat human risk as a shopping list. Buy the email layer, buy the insider tool, tick the box. But the organisations that genuinely reduce human risk treat it as something owned, not just bought. Someone is accountable for it. There is a policy people understand, a process for when something goes wrong, and a habit of measuring the real position rather than assuming it. Tools enable all of that, they do not replace it. This is the same Identify and Decide discipline that runs through our IDEAL approach, understand the real exposure first, then decide where controls earn their place.
How we help, and where we point you elsewhere
A note on independence, because it matters and we would rather be plain about it. We are an independent technology consultancy, and we are also a Mimecast partner, among other relationships. We tell you that up front so the recommendations below are read with full information.
Where it fits, we often recommend Mimecast for parts of this picture, and we recommend it for specific reasons rather than as a default. For email, its layered defence catches categories of phishing and business email compromise that built in filtering tends to miss. For insider risk, Mimecast Incydr gives visibility of how data actually moves across endpoints and cloud, which is exactly the gap that perimeter tools leave open. For collaboration, Mimecast Aware extends protection into Teams and similar platforms. In each case the reason is the capability against a named problem, not the logo.
It is just as important to say where it is not the answer. A heavily Microsoft native organisation may get a good deal of what it needs from the controls already in its existing licences, and the honest move there is to harden and use those properly before adding spend. Identity, culture and governance are not products we resell at all, and they are often where the largest gains sit. We would rather tell you that than sell you a tool that does not move your risk. Independence does not mean never having a preferred solution. It means the preference is earned by fit and stated with reasons, and that we will point you away from it when that is the right call.
Want to understand your human risk position?
The fastest honest starting point is to measure it. Our free Human Risk Assessment gives you an instant, personalised read across the dimensions that decide whether your people strengthen your security or quietly undermine it, with no sign up. Or tell us your situation and we will give you an independent view and a sensible next step. Problem first, always, then the right control for it.
Prefer email? Reach us directly at hello@c4cgroup.co.uk.
Frequently asked questions
What is human risk in cybersecurity?
Human risk is the security exposure that runs through people rather than infrastructure. It covers email and social engineering, everyday mistakes such as misaddressed messages and wrong sharing settings, insider actions like data leaving with a departing employee, the security of collaboration and SaaS tools, and identity and access. The common factor is a person in the loop, which is why traditional perimeter controls miss most of it.
Are my people really the weakest link?
That framing is unhelpful and mostly wrong. Your people are doing their jobs under time pressure against attackers who do this full time and now use convincing, AI generated lures. The goal is not to blame the person, it is to reduce how often a dangerous moment reaches them, catch it when it does, and limit what a single mistake can cost. Capable people plus the right controls beat awareness alone every time.
Is security awareness training enough on its own?
No. Training raises the floor and builds the habit of reporting, which is genuinely valuable, but expecting every person to spot every well crafted attack every time is hope, not a strategy. Training works best as one layer alongside stronger email defence, insider risk visibility, collaboration security, identity hygiene and clear governance.
Where should we start with human risk?
Start by understanding your real position rather than assuming it. A short assessment of where your exposure actually sits, across email, insider, collaboration and identity, tells you where the gaps are before you spend. From there you can decide which controls earn their place. Our free Human Risk Assessment is a no sign up way to get that first read.
You partner with Mimecast, so is this independent advice?
Yes, and we state the relationship plainly. We are an independent consultancy and a Mimecast partner among other relationships. Where we recommend Mimecast Email, Incydr or Aware it is for specific capabilities against a named problem, and we are equally clear about where it is not the answer, for example when built in Microsoft controls or better identity and governance practice will do more. The assessment is independent, the recommendation is earned, and we will point you elsewhere when that is right.