According to Mimecast’s 2025 State of Human Risk Report, 95% of data breaches now involve human error, driven by insider threats, credential misuse and user-driven mistakes. This isn’t a technology problem. It’s a people problem. And one might think, that people problems could fall under the remit of HR, no?
The Concentration Problem
Furthermore, it’s fairly urgent too: just 8% of employees account for 80% of cybersecurity incidents, according to the same Mimecast research. Think about the HR implications of that statistic and you come to realise that a small fraction of your workforce is creating disproportionate risk. You can’t solve this with better firewalls. You solve it with better training, clearer policies and stronger accountability, exactly in the wheelhouse for HR teams.
When we run penetration testing engagements, the technical vulnerabilities we find are rarely the real story. The real story is what those vulnerabilities reveal about organisational culture and training gaps. We recently worked with a retail organisation where we accessed multiple user accounts using credentials found online. The vulnerability wasn’t a sophisticated hack, it was employees reusing passwords and using work email addresses for personal services like Netflix and Spotify streaming accounts or LinkedIn, Facebook and other social media accounts.
This isn’t a problem you solve by hiring a Chief Information Security Officer. You solve it by training the people you already have. That’s HR’s remit.
The Cost of Getting It Wrong
The financial case for HR ownership is compelling. IBM’s 2023 Cost of a Data Breach Report found that organisations with strong security awareness training reduced breach costs by an average of $1.49 million compared to those without. Employee training specifically has been shown to reduce the average breach cost by $232,867.
But the costs of insider-driven incidents are even more stark. According to Mimecast, an insider-driven data exposure, loss, leak or theft event would cost organisations an average of $13.9 million. When you compare that to the relatively modest investment in training programmes, the ROI becomes impossible to ignore.
Yet 74% of Chief Information Security Officers now identify human error as their top cybersecurity risk, according to Proofpoint’s 2024 Voice of the CISO report. This represents significant growth from just 60% expressing this sentiment the previous year. The gap between technology investment and human risk continues to widen.
Reframing Security Training as Professional Development
Here’s where HR can transform the conversation: stop positioning cybersecurity training as compliance box-ticking and start framing it as essential professional development.
Cyber skills are no longer optional extras for IT departments. They’re baseline requirements for employability across all roles. An employee who understands cyber threats makes better decisions about data handling, client communications and supplier relationships. These are transferable skills that improve performance beyond just security.
When we run incident simulations, tabletop exercises where leadership teams walk through responding to a major breach, we consistently see the same patterns. Communication breaks down between departments. Decision-making authority becomes unclear. Leadership gaps in crisis management emerge. They aren’t technology failures. They’re organisational and cultural failures that security incident simulations reveal in sharp relief.
In other words, security training doubles as leadership development. That makes it a retention and progression tool, not just a risk management exercise.
Building Psychological Safety Around Security Mistakes
87% of organisations report that security awareness training has helped employees spot cyberattacks. That’s the good news. The concerning news is that 66% are still worried that data loss from insiders will increase in 2025, and 33% still fear human error in handling email threats.
Why the disconnect? Because training alone isn’t enough. You need a culture shift, and culture change is HR’s domain. Companies that create psychological safety around security mistakes see better outcomes. When staff feel safe reporting that they clicked a phishing link or left their laptop on a train, organisations can respond quickly. When there’s a blame culture, employees hide mistakes until they become disasters.
This requires the same change management skills HR uses for any cultural transformation: clear communication, visible leadership support, systems that reward the right behaviours and consequences that address the wrong ones without creating fear.
From Mandatory to Meaningful
The challenge most organisations face is that their security training is neither engaging nor effective. Annual compliance modules that employees click through whilst thinking about lunch aren’t changing behaviours.
Effective security training needs to be:
• Regular and reinforced: Monthly micro-learning beats annual marathons
• Realistic and relevant: Use real examples from your industry, not generic scenarios
• Measured and adaptive: Track who’s struggling and provide targeted support
• Integrated into culture: Make security part of performance conversations and team discussions
Research from the Ponemon Institute shows that organisations using realistic simulations in their training programmes saw ROI improve from 30% in 2020 to 40% in 2023. The more authentic the training, the more effective it becomes.
What HR Should Do Tomorrow
Questions HR Should Ask the CISO:
- How are we measuring training effectiveness beyond completion rates?
- What percentage of our incidents are caused by human error versus technical failures?
- Are we creating psychological safety for employees to report security mistakes?
- Can security training support our broader talent development goals?
Immediate Actions:
- Reframe mandatory security training as professional development
- Build security awareness into performance reviews (not as punishment, but as competency)
- Create an internal “security champions” programme to identify and develop talent
- Include security considerations in exit interviews (What were password-sharing practices? What tools did teams use informally?)
Strategic Shifts:
- Make security awareness part of cultural values, not just compliance tickboxes
- Create career pathways for employees who want to develop security expertise
- Partner with IT security on recruitment to ensure security considerations from day one
- Build security incident response into leadership development programmes
Human error hasn’t surpassed technology as the biggest cybersecurity vulnerability. It’s always been there. We’ve just spent billions on technology hoping to engineer our way around it. That approach has failed.
The organisations that will thrive in 2025 and beyond aren’t those with the most sophisticated security technology. They’re the ones where HR and IT security work as genuine partners, where security training is viewed as talent development, and where psychological safety means employees can admit mistakes before they become disasters.
Your people are either your biggest vulnerability or your strongest defence. Which they become depends largely on the decisions HR makes.
Mimecast, “State of Human Risk Report 2025” (2025)
• IBM, “Cost of a Data Breach Report 2023” (2023)
• Proofpoint, “Voice of the CISO Report 2024” (2024)
• Ponemon Institute, “ROI of Cybersecurity Training” (2023)
