Peter Connolly, Founder and CEO, Toro Solutions challenges common assumptions about “human risk” and argues that an effective security strategy must start with people – not technology.
Why have people become the primary attack surface in modern security?
Most technical controls and defences are linear. They can be configured, understood, monitored and largely predicted. People are different.
Human behaviour is nuanced, variable and influenced by a lot of factors, meaning that on any given day, an organisation’s people can be its greatest security asset or its greatest weakness.
There is also almost always a human somewhere in the security chain. Someone configures the technology, monitors it, responds to alerts or decides whether a control is enabled at all.
Levels of security awareness vary significantly between individuals and are shaped by personal experience, near misses, past incidents and how people approach security in their personal lives.
Organisational culture also plays a major role in reinforcing or undermining those behaviours.
Attackers understand this and as such criminals consistently exploit the path of least resistance, which invariably is a person.
Social engineering has therefore long been a preferred entry point, whether through phishing, phone based deception or manipulation that enables attackers to gain an initial foothold before moving laterally through systems.
Despite advances in tech, this approach remains highly effective and widely used.
What do organisations still misunderstand about “human risk”?
There are two common misconceptions. The first is the belief that security is a handbrake to progress. The second is the assumption that because people always make mistakes, there is little value in investing in helping to change those behaviours.
I have seen the opposite to be true. In highly secure environments, such as defence and aerospace, people understand that serious threats exist, including from nation states and organised crime.
Many individuals in these sectors have often previously worked in sensitive roles within government and are acutely aware that security risks extend into both their professional and personal lives.
As a result, they take security seriously without it preventing them from doing their jobs effectively.
By contrast, in organisations with weaker security cultures, security is often treated as an inconvenience. This shows up in careless behaviour, avoidable losses and a general sense that security is someone else’s responsibility.
Security needs to be reframed as resilience rather than restriction. Building human resilience improves performance as people learn to work better under pressure and deal with uncertainty more effectively.
It is important to remember people respond far better to real, personal stories that relate to their own lives, particularly if the advice helps protect personal bank accounts or email accounts, rather than to rules and reprimands.
How are people typically exploited in real-world attacks?
Most attacks start online. Criminals use LinkedIn and other social platforms to identify individuals who are useful targets within an organisation, such as executives, assistants, IT staff or anyone with access to money, data or critical systems. In effect, social media gives attackers a directory of the organisation.
Once targets are identified, attackers gather as much personal information as possible.
This includes breached passwords, email addresses, phone numbers, social media profiles and interests which will enable the next stage of the attack.
This may involve phone calls posing as colleagues, suppliers or clients, phishing or spear phishing emails tailored to personal interests, text messages or fake social profiles designed to build trust or create pressure.
A key point that is often missed is that much of this activity takes place in people’s personal lives rather than through corporate systems.
Personal email accounts linked to social media are frequently used, and credentials exposed in historic data breaches are often reused across multiple accounts.
Once criminals gain access to personal email or financial accounts, they can monitor activity, apply pressure or wait for an opportunity to exploit the individual directly.
Attacks can also extend into physical spaces. Criminals often monitoring online profiles of their victims before attempting a kidnap or burglary.
They often watch individuals working in public areas to identify passwords or mobile phone pin codes, overhear discussions in cafés or pubs and participate in face-to-face social engineering scam.
Seemingly small snippets shared in a casual conversation can later prove valuable when combined with other intelligence.
Why doesn’t technology prevent most human-led breaches?
Because there is almost always a human involved either in configuring, integrating, monitoring or enabling security technology – or deciding to turn the security on in the first place.
For example, many businesses haven’t enabled the security features in the software or devices they use. Organisations often avoid turning on these security controls because they believe it will create friction for staff.
The problem is that defence must be layered and one of those layers will always involve people. As such, there is no technology silver bullet that can remove human error.
While organisations invest in training people to perform their jobs well, they often underinvest in training and testing security behaviours. This gap is exactly what attackers exploit.
What does meaningful human resilience look like in practice?
Resilience is not something that people are born with. It develops through exposure to real-world stresses which can be simulated in a controlled environment.
In practice, this means delivering impactful training and exercises that people remember, supported by ongoing reminders such as e-learning, regular testing and, where possible, gamification to reinforce behaviours. Leadership also plays a critical role.
If senior people do not model the behaviours they expect from others, security culture deteriorates very quickly.
It is also important for organisations to avoid blame and embarrassment.
People will make mistakes especially when they are under pressure or distracted, but if individuals fear punishment or ridicule, they are far less likely to report incidents, which will increase the risks.
What capabilities will future security leaders need?
Future security leaders must understand convergence. Cyber, physical and human risks are already blended in the way attackers operate, and defenders need to think in the same way.
Critical assets are rarely purely digital or physical. They involve systems, devices, locations and people. Security teams, therefore, need to work more closely across disciplines and protect assets holistically.
If attackers are prepared to exploit personal compromise alongside physical access and technical vulnerabilities, security leaders must be prepared to defend in equally integrated ways.
How is AI changing the way attackers exploit people?
AI is amplifying low sophistication attacks, and we are seeing more tailored spear phishing campaigns, automated phone social engineering and the use of deepfakes at a scale that was previously not possible.
While AI enables criminals to operate more effectively, defence still often comes down to people making the right decisions and organisations supporting them to do so. AI can be a powerful defensive tool, but only if responsibly configured.
We are also starting to see AI-related data breaches caused by poor configuration rather than malicious intent. Organisations need to assess these risks carefully.
Overall, AI represents the most significant shift the security industry has seen in years, bringing both serious threats and major opportunities that organisations need to address quickly.
