In an era where cyber threats are becoming increasingly sophisticated, Australian businesses face an alarming concept. Quite simply, the most advanced cybersecurity systems can be undone by a simple human error.
Despite significant investments in technology, the Human Cyber Risk element remains the most vulnerable link in the cybersecurity chain. This can be due to concepts such as social engineering, falling victim to phishing scams and simple human error when using and handling private systems or logins.
This blog will take a deeper look into the concept of Human Cyber Risk, and how businesses can look to implement practices that reduce the dangers and potential setbacks faced from employees.
What is Human Cyber Risk?
Human Cyber Risk refers to the vulnerabilities introduced by human behaviour, errors, or negligence that can lead to cybersecurity breaches. These risks encompass actions like falling for phishing scams, misconfiguring systems, or inadvertently disclosing sensitive information. In Australia, the significance of human error in cyber incidents is supported heavily by recent statistics.
According to the Office of the Australian Information Commissioner (OAIC), between January and June 2024, 38% of all data breaches were attributed to human error, including actions like sending information to the wrong recipient or failing to use BCC in emails. This highlights the critical aspect of Human Cyber Risk when it comes to potential data breaches.
The Main Causes of Human Cyber Risk
Several common scenarios illustrate how human actions can compromise cybersecurity:
- Phishing Attacks: Employees may inadvertently click on malicious links or attachments, granting attackers access to systems.
- Poor Password Practices: Using weak or reused passwords can make it easier for attackers to gain unauthorized access.
- Misconfigurations: Incorrectly setting up systems or applications can expose vulnerabilities.
- Social Engineering: Attackers manipulate individuals into divulging confidential information.
A notable example is the very recent 2025 Qantas data breach, where attackers exploited a third-party customer service platform through social engineering tactics. By deceiving an offshore call centre employee, they accessed personal data of up to six million customers.
Qantas themselves have released the following numbers, showcasing just how catastrophic a data breach can be:
- 1.2 million records contained only name and email
- 2.8 million included name, email, Frequent Flyer number and status tier
- A smaller subset of these also contained points balance and status credit
- 1.7 million held additional personal details:
- 1.3 million addresses (home, business or hotel delivery addresses)
- 1.1 million dates of birth
- 900,000 phone numbers
- 400,000 gender entries
- 10,000 meal preferences
How Technology Alone Doesn’t Aid Human Cyber Risk
While technological solutions like firewalls, antivirus software, and multi-factor authentication are essential, they cannot fully mitigate human cyber risk. Attackers often bypass technical defences by targeting individuals directly.
The Qantas data breach exemplifies this, where attackers used “vishing” (voice phishing) to deceive an employee, circumventing existing security measures. This incident highlights the limitations of relying solely on technology without addressing the human element.
Some examples of Human Cyber Risk that have led to security breaches:
- Email Mishaps: An employee sends sensitive information to the wrong recipient due to auto-complete errors.
- Credential Sharing: Staff members share login details, increasing the risk of unauthorized access.
- Unsecured Devices: Using personal devices for work without proper security measures can expose company data.
These everyday actions, often stemming from a lack of awareness or training, can have significant repercussions for businesses.
Strategies for Businesses to Decrease Human Cyber Risk
To mitigate human cyber risk, businesses should implement the following strategies:
- Regular Training: Conduct cybersecurity awareness programs to educate employees about potential threats and safe practices.
- Simulated Phishing Exercises: Test employees’ responses to phishing attempts to identify areas needing improvement.
- Strict Access Controls: Implement role-based access to limit data exposure.
- Robust Policies: Establish clear guidelines on password management, device usage, and data handling.
Adept IT Solutions offers high level cybersecurity awareness and education training. This type of training is extremely important to raising the overall levels of awareness and accountability from employees within a company in regard to their IT and general cybersecurity.
Australian businesses must also navigate regulatory requirements concerning data protection. The Privacy Act mandates entities to take reasonable steps to protect personal information, and failure to do so can result in penalties. Additionally, the Notifiable Data Breaches Scheme requires organisations to report certain data breaches to the OAIC and affected individuals.
Ensuring staff are trained and aware of their responsibilities is crucial for compliance and for safeguarding customer trust.
How Adept IT Solutions can Assist with Human Cyber Risk
The harsh reality for business today is that it’s no longer a question of if your business will be targeted, but when. While firewalls, antivirus programs, and encryption provide critical protection, it’s your employees who are at the forefront of inadvertently aiding cyberattacks. Human Cyber Risk isn’t just a technical issue, it’s a cultural one.
As we have seen, Australian statistics clearly show that human error is a leading cause of data breaches, and that risk is entirely preventable with the right training, policies, and support. Empowering your employees to identify threats, report suspicious behaviour, and follow best practices turns your weakest link into your greatest defence.
Take Action Now — Don’t Wait for a Breach to Expose the Gaps
If you’re serious about protecting your business, start with your people. Our team can help you implement:
- Tailored cybersecurity awareness training
- Simulated phishing exercises
- Role-based access controls and policy frameworks
- Full risk assessments aligned with the Essential Eight
Contact our expert team today! With over 20 years of experience providing reliable and trusted IT support to clients in the Newcastle, Central Coast and Sydney areas, Adept IT Solutions can help protect your business.
You can reach out via phone, at 1300 423 378 or simply email us at info@adept-it.com.au. Our IT service experts are ready to help raise the level of cybersecurity standards in your business today!
