Cyber security and human risk: are humans the weakest link?

< Blog

25 June 2025

The third instalment in a cyber security series from Capgemini and RenewableUK explores how human behaviour remains the most exploited vulnerability in modern cyberattacks, what practical steps can be taken to mitigate this, and what we can all learn from Brad Pitt.

Greeks bearing gifts

Over 3,000 years ago, in the now infamous former city of Troy, defenders rejoiced as the Greek army was vanquished after a decade-long siege. The surrounding bay was clear of warships and the beaches empty of military tents. A huge wooden horse was the only indication they were ever there.

Had they not been so exhausted from battle and jubilant with victory, more sober Trojan minds might have questioned this conspicuous Greek gift. On this day, however, scepticism did not prevail. And so, it was not the mighty walls of Troy that were breached, with the perimeter still holding fast, nor was it the imposing gate that had shattered. It was not iron or wood, nor cement or stone, that ultimately laid Troy low. Rather it was trust, and manipulation of that all too human emotion.

Our technology has come a long way in the subsequent three millennia. Today we invest in firewalls, endpoint detection, and sophisticated scanning to protect our assets. But our amygdala – the part of the brain that processes emotions like fear - is much the same as our Trojan forebears. When we’re in a rush, links can seem convincing. After a long day, when we’re prompted to update our password, surely “BradPitt2004Troy” would do? It’s rarely modern cyber security defences that fail, but instead misplaced human trust often proves to be the weakest link.

People are the most exploited attack surface

Technology evolves and threat actors certainly innovate. But, year after year, the majority of security breaches still arise from human behaviour. Whether through deception, mistakes, or deliberate misuse, attackers increasingly target the people within organisations when seeking to open the proverbial gates. There are four primary ways in which human vulnerabilities typically manifest in cyber security breaches, though it is worth noting that these methods are rarely used in isolation, and Capgemini has tracked how frequently these occur:

1. Phishing and social engineering (68% frequency)
   A message appears benign or routine, but hides a threat, such as a file, link, or seemingly urgent request. Such threats often play on emotion through authority, urgency, or reward.


2. Credential theft and misuse (30% frequency)
   Usernames and passwords are the gate keys. Reusing passwords or choosing weak ones makes them easy to steal, guess, or phish.


3. Human error (28% frequency)
   Mistakenly CCing the wrong person, uploading the wrong file, or exposing data in shared documents. All are small mistakes with potentially big consequences.


4. Malicious insider threats (6% frequency)
   A trusted user goes rogue. Whether motivated by revenge, coercion, or negligence, they knowingly violate policies to harm their organisation.

When human risk becomes real

To illustrate how human-centric risks manifest in real world scenarios, we can look at four notable incidents which embody these primary categories:

1. NHS ransomware attack, 2022 (phishing and social engineering)
   In early 2022, the National Health Service (NHS) experienced a significant cyber incident involving a phishing campaign that targeted official email accounts, offering a stark illustration of how such an attack can compromise entire swathes of critical national infrastructure. 139 NHS email accounts were compromised and used to distribute over 1,157 phishing emails over a period of several weeks. The compromised accounts were used to send emails, often impersonating NHS.net – the email, diary and directory system for health service employees in England and Scotland - to trick individuals into providing personal or financial information, leading to the exposure of sensitive data for around 80,000 individuals. The Information Commissioner's Office (ICO) later fined the responsible IT department £3 million for failing to implement adequate security measures, including the absence of multi-factor authentication (MFA). In this case, the attackers exploited human trust and the lack of basic security protocols, leading to widespread service disruption and data compromise, and underscoring how social engineering tactics, combined with insufficient security practices, can have far-reaching consequences.


2. The Colonial Pipeline attack, 2021 (credential theft and misuse)
   In May 2021, Colonial Pipeline from Texas to New York fell victim to a ransomware attack after hackers accessed it via a compromised password. The password had been used for several accounts on the network, meaning the hackers gained extensive access through it. They were, in effect, able to open multiple doors using a single key. The breach led to fuel shortages across the Eastern United States and a ransom payment of $4.4 million, resulting in widespread societal disruption from a seemingly minor oversight.


3. Facebook’s cloud misconfiguration, 2019 (human error)
   In 2019, security researchers from the software company UpGuard discovered that over 540 million Facebook user records were publicly accessible through misconfigured Amazon Web Services (AWS) cloud servers. The exposed data encompassed user IDs, comments, reactions and, in some cases, passwords. This incident was not the result of a sophisticated cyberattack but stemmed from human error, specifically the failure to properly configure the system. The developers neglected to implement basic security measures, such as password protection or encryption, leaving vast amounts of personal data vulnerable to unauthorised access. This breach underscored the potential impact of human errors, with even well-intentioned developers capable of inadvertently exposing sensitive information through simple missteps.


4. ‘The Tesla Files’, 2023 (malicious insider threat)
   In May 2023, Tesla disclosed a significant data breach affecting over 75,000 current and former employees. The breach was traced back to two former employees who, in violation of Tesla's IT security and data protection policies, misappropriated confidential information and shared it with a German media outlet. The leaked data included names, contact information, social security numbers, and employment details. Investigation revealed that the insiders had accessed and exfiltrated over 100gb of sensitive data, which was subsequently named ‘the Tesla Files’. Investigations revealed that these former employees had grievances with Tesla’s management, underscoring how internal dissatisfaction can become a catalyst for malicious actions.

Empowering individuals to mitigate human-centric cyber risks

The good news is that organisations and their employees are equally able to solve the challenges of human cyber risk, and below are practical steps that RenewableUK members can implement to protect themselves and their organisations:

1. Phishing
   Organisations should participate in regular phishing simulations, which can significantly reduce the likelihood of falling for real attacks.
   Individuals should be sceptical of unsolicited communications, always verifying the authenticity of unexpected emails or messages, especially those requesting sensitive information or urgent actions. If in doubt, they should adopt a ‘better safe than sorry’ approach and flag the email as suspicious.


2. Credentials
   Organisations should enable multi-factor Authentication (MFA), which is able to block over 99.9% of account compromise attacks.
   Individuals should use strong, unique passwords, whilst avoiding reusing passwords across different accounts, and utilising password managers to generate and store complex passwords securely.


3. Human error
   Organisations should communicate best practices to their workforce, ensuring all cyber security practices are clearly understood and regularly updating their team’s knowledge to minimise the risk of inadvertent errors.
   Individuals should double-check before sending emails, especially those containing sensitive information, as well as verifying the recipients and attachments to prevent accidental data leaks.


4. Malicious insiders
   Organisations should foster a culture of integrity by encouraging open communication and ethical behaviour to deter potential insider threats.
   Individuals should report suspicious behaviour through the appropriate channels if they notice unusual activities or policy violations.

Whether it concerns ancient Troy or tomorrow’s Tesla, human vulnerabilities remain consistent targets for attackers. Addressing these human-centric risks demands ongoing vigilance, regular training, and a proactive security culture.

What happens when the Trojan horse learns to knock? Stay tuned for upcoming articles that discuss the impact of AI and what this means for the future of digital security.