The weakest link? How to manage human risk in cyber defence

By Hol Thomas-Wrightson, 23 March 2026

With so much of our modern lives spent on the Internet, from shopping and keeping in contact with friends, to remote working and banking, it should come as no surprise that cybercrime is an ever-growing threat to us all.

For organisations, there are all the more surfaces at risk of attack, with every new product, client and employee offering a different possible avenue for a hacker to explore.

In February 2026, ICA held a webinar to consider these threats, and what can be done to mitigate them. Tim Tyler, Vice President, ICA, hosted the webinar, talking with Oz Alashe, CEO and Founder of CybSafe, and Glenn Wilkinson, CEO and Co-founder of Agger Labs, to share practical insights into understanding and managing human risk, so that employees become cybersecurity champions, not accidental insiders.

What is the threat?

Alashe started the conversation by looking at the risks, making sure to remind us that ‘behind every one of these incidents, there is an individual victim’. At the individual level, they could experience reputational and financial loss, as well as carrying broader trauma from the experience. 

At an organisational level, the impacts can cover financial, legal and regulatory, before even considering how the damage of losing data can ruin the reputation with customers and partners. And even broader still, the operational and third-party impacts of operational disruption and loss of intellectual property. 

Wilkinson added that cybercrime has come a long way from an almost academic process, with talented individual hackers or small groups breaking or defacing websites to demonstrate their skills. But as individuals and businesses alike have moved increasingly to online spaces, so too has criminal interest and threat. 

The invention of Bitcoin only fuelled the rise of cybercrime, seeing a shift towards ransomware in particular, which the National Cyber Security Centre (NCSC) has highlighted as being the one of the biggest cyber threats in the UK. [1]

Alashe highlighted the importance of remembering that there are layers to our approach to building and protecting our technology infrastructures. But he also acknowledged that there is realistically no such thing as 100% protection: it is more about assessing and reducing risk. As such, it pays to remember that people are not outside the system as simply users: people are part of an organisation’s system, and so they can be integral to protecting it.

It’s also important to understand the risks, in order to overcome them. Part of this may involve using ‘white hat hackers’ – hackers that offer their services to organisations, to try and break their systems (in controlled environments) as a way of showing them the weaknesses and how to fix them. 

By understanding the methods used by criminals – literally seeing them in action via an expert, rather than trying to predict or presume – organisations can more accurately protect against future attacks. 

Wilkinson explained that email in particular offers criminals many methods of entry, whether from phishing scams, or even sites offering lists of leaked email addresses and passwords that can be used as back doors into a business. 

Tim Tyler also asked Alashe to further explain the social engineering aspects, as well as poor security habits:

How do we respond?

The approach to training in cybersecurity has changed recently. A lot of organisations have adopted measures like regular false phishing simulations to track who needs further training in recognising them, or enforcing regular password changes. However, research suggests these steps can lead to little to no change, or leads to risky behaviours like employees writing down passwords on paper to keep track. [2]

Wilkinson suggests this could also sow the seeds of distrust and animosity between the employees and management of IT services. He offered an alternative, more honest approach of letting people know that there is going to be a phishing email going out, so that they know to look at it and recognise how sophisticated they may be. Another option is building systems such as nudge training, where a notification may come up asking an employee to question an action.

Should we take people out of the picture?

Tyler pointed out that for many organisations, given all the risk and difficulty in actually changing behaviour, the question may start to be asked if it’s worth removing people entirely from the equation. 

Alashe highlighted the importance of understanding what risk actually means: ‘risk is not a bad thing happening; it is the potential for a bad thing to happen’. As such, it’s not a case of either/or, but of employing multiple approaches to reduce not just the likelihood of something bad happening, but also the impact if it does. Organisations are made of people, and thinking we can just take them out of the loop to avoid needing to train them just isn’t realistic. 

Wilkinson agreed, pointing out that organisations need to build cyber defence by design, where systems encourage people to do the right thing, making safe actions and approaches the natural way of acting, rather than setting them up to fail. 

The onus of cybersecurity should always be on the organisation itself, rather than shifting it onto the individual workers and blaming them when it fails. 

AI: a new hope, or just another risk?

With the increase in adoption at both a business and individual level, AI is having a growing impact on all landscapes, both illicit and benign. 

This is manifesting in a kind of arms race: a rush from both sides, to build better and more sophisticated defences, while hackers try to develop new forms of attack to break or circumvent those defences. 

For good, organisations are using it in technology infrastructure, to build better cyber security tools, to work out human behaviour, and develop new ways to help protect. 

For worse, AI helps criminals to research, guess passwords, and to augment their familiar attack methods. They can now produce more convincing phishing emails and deepfakes that can con CEOs, or use the technology to launch attacks at a scale far larger than they could manually. 

Organisations need to work hard not only to defend against hackers, but to involve their human employees to properly understand the risks, to set up systems so the best outcome is the natural one, while also ensuring employees are part of the security infrastructure, rather than pushing them further outside of it. 

Tools for good?

Tyler brought the webinar to a close with a final question that may occur to many looking to employ the help of white hat hackers: by giving them access to organisational systems, are they not being given the opportunity to use that information for bad?