It’s widely recognised that human error is one of the most significant risks facing enterprise security today. Security leaders are well aware of the threats posed by phishing, vishing, and business email compromise (BEC), and how effectively these tactics continue to target the human layer. While these are not new challenges, they continue to cause significant damage.
In fact, according to Verizon’s 2025 Data Breach Investigations Report, approximately 60% of data breaches involve a human element, encompassing errors, misuse, and social engineering attacks like phishing and credential theft. The threat landscape has evolved, but human behaviour remains a constant- and attackers know it.
Take the example of the Ascension Health breach in 2024. The company experienced a ransomware attack that was initiated by a phishing email. An employee unknowingly downloaded a malicious attachment, giving threat actors the access they needed to encrypt systems and exfiltrate sensitive patient data. The breach affected millions of records and caused weeks of operational disruption across hospitals and clinics.
It’s a reminder that cybercriminals are no longer focused solely on breaking into systems. They’re targeting the people who use them. Phishing, impersonation, credential theft, and manipulation are now their go-to tools. Because people are easier to exploit than technology.
In this blog, we’ll explore why your workforce is now your largest attack surface, and how a workforce security assessment gives you the visibility to reduce risk where it matters most: in human decisions.
Why people are an effective attack surface
Cyber attackers have evolved and so have their methods. Instead of brute-forcing firewalls or exploiting system vulnerabilities, they’re doing it by exploiting human nature.
Social engineering, phishing, and Business Email Compromise (BEC) are designed to bypass traditional security controls by targeting human behaviour. Attackers do not need to break in when they can convince someone to open the door.
And it works.
Employees today are bombarded with login prompts, meeting alerts, and urgent requests. It’s no wonder Multi-Factor Authentication (MFA) fatigue sets in, or passwords get reused. A convincing message from a “senior exec” is all it takes.
These attacks succeed because they exploit familiar behaviours:
- Curiosity is triggered by fake document notifications or clickbait links
- Urgency pressures users to act before thinking, using phrases like "approve now" or "your account will be locked"
- Trust is manipulated through impersonation and lookalike domains
Even well-trained staff can fall into these traps. And while tools like email security and user awareness training are essential, they can’t address everything.
To meaningfully reduce risk, we need to go beyond awareness. We need to understand how people actually behave.
Where are you most vulnerable?
Most organisations have invested heavily in securing their networks and applications. But when it comes to workforce behaviour, critical gaps are often overlooked or underestimated.
Here are some of the most common weak points that leave businesses exposed:
- Unpatched endpoints that miss critical security updates due to poor device management or shadow IT.
- Weak or reused passwords, often shared across personal and professional accounts.
- Unsafe cloud sharing practices, such as public file links or unauthorised third-party access.
- Blind trust in internal-looking email addresses, which threat actors exploit through lookalike domains and spoofed identities.
- Delayed deactivation of access for former employees or contractors, leaving systems open to exploitation.
We’ve seen the impact firsthand. In 2023, Latitude Financial, one of the country’s leading lenders, experienced a significant breach affecting over 14 million individuals. The incident started with stolen employee credentials from a third-party vendor and escalated quickly. With just one point of access, attackers moved laterally across systems before being detected.
These are not theoretical risks, they are real, preventable exposures. And they highlight the need for strategies that go beyond patching and platform defences to focus on workforce behaviour.
Why you need a workforce security assessment
You can’t manage risk if you can’t see it.
A workforce security assessment is designed to give you that visibility. It’s a focused evaluation that works hand-in-hand with your broader security controls review that assesses how your people interact with systems, where their behaviours introduce risk, and what that means for your organisation’s overall cyber posture.
The outcome is simple: clarity.
A workforce security assessment gives you:
- Actionable insights that highlight how and where human behaviours are introducing risk
- Proactive identification of security gaps across your workforce environment, before they’re exploited
- A prioritised, manageable action plan that supports operational reality without overwhelming your teams
- Improved ability to benchmark workforce security posture and track progress over time
- Stronger alignment with essential security frameworks like the ASD Essential Eight, especially in areas like MFA, patching, access control, and user awareness
This isn’t about blame. It’s about visibility and informed decision-making.
Because when leadership has the right data, security becomes proactive rather than reactive and your people become a strength, not a liability.
Training isn’t enough – you need targeted insight
Security awareness training is a key part of any strategy. But, it’s not enough on its own. Most teams can tick the training box - they’ve completed the modules, passed phishing simulations, and sat through the presentations. But awareness doesn’t always equal readiness. And in cyber security, what matters most is behaviour.
That’s where a workforce security assessment becomes essential. It goes beyond awareness to reveal which behaviours are introducing risk, where existing controls are falling short, and how training and policies can be sharpened for greater impact.
This assessment provides a strategic foundation for aligning your efforts. Not just educating users but embedding security into everyday decisions. Because true cyber maturity isn’t just measured by infrastructure and tools. It’s reflected in culture, habits, and the way people respond in the moments that matter most.
Stop guessing, start measuring
Cyber security isn’t just a technical challenge anymore, it’s a human one. And it’s one that too many organisations continue to underestimate. While tools and technologies play a critical role, the most common breaches still trace back to human decisions: a missed patch, a clicked link, a reused password. These aren’t technical failures. They’re behavioural ones.
A workforce security assessment helps you stop relying on assumptions and start working with evidence. It gives you a clear, measurable view of where your people-related risk sits and what to do about it.
Regular assessment is a practical way to build maturity, improve control effectiveness, and turn your workforce into a confident, capable line of defence.
So how secure is your workforce really?
Get in touch with us to book your workforce security assessment today. It’s a smart, focused way to uncover people-driven risk, strengthen your cyber posture, and prioritise what matters most.
