Your Biggest Cyber Risk Isn’t Hackers - It’s Humans

Most small business owners imagine cyber breaches as sophisticated “Hollywood-style” hacks. In reality, most incidents start far closer to home:

👉 someone clicks a dodgy link

👉 someone reuses a password

👉 someone approves a fake invoice

Not malicious insiders — just normal people doing their jobs under time pressure.

Where Things Usually Go Wrong

The same failure points show up again and again:

1. Clicking before checking

Phishing emails pretending to be Microsoft, suppliers, deliveries or even the CEO. They thrive on urgency — “approve this now” / “payment overdue” / “reset your password.”

2. Password recycling

One leaked password = access to multiple systems. Attackers love this because it works.

3. Treating email as “trusted”

Fake payment instructions and supplier bank detail changes are now standard playbooks.

4. Using personal devices

Unpatched laptops and phones without MFA create a wide-open door. And here’s a key insight many leaders miss:

New staff are the easiest targets

Hackers deliberately go after new starters because they:

✔ don’t yet know how things are done

✔ don’t know who to challenge

✔ don’t want to look difficult

✔ are unaware of red flags

A fake “HR request” or “supplier invoice” lands very differently on someone two weeks into the job compared to someone who knows the ropes.

How to Train People Without Turning It Into a Lecture

You don’t need cyber experts — just people who pause for five seconds before acting.

Train them to ask:

Does this make sense for me, right now, from this person?

and to look out for:

✔ urgency

✔ unexpected requests

✔ money or credentials

✔ slightly “off” sender details

Simulated phishing also works extremely well.

It builds instinct through repetition, not blame.

For small businesses there are low-cost options such as Boxphish which send realistic phishing tests.

Budget-Friendly Help for SMEs

Good news: you don’t need corporate budgets to improve resilience.

The Eastern Cyber Resilience Centre provides low-cost staff awareness training specifically designed for smaller organisations. It’s practical, relevant, and doesn’t require anyone to be “technical.” https://www.ecrcentre.co.uk/

Combine that with low-cost phishing simulation and you’ve already cut a massive chunk of your human risk.

Quick Wins That Make a Big Difference

Here are the highest-ROI moves for SMEs:

🔐 Enable MFA (email & finance systems at minimum)

🔐 Use a password manager to stop password reuse

🔐 Automate updates & patching so it doesn’t rely on staff

🔐 Remove admin rights to stop malware installing itself

🔐 Encrypt laptops & mobiles so a stolen device isn’t a breach

🔐 Have a one-sentence payment rule:

“No bank detail changes without phone verification.” One small policy — massive fraud prevention.

Monday Morning Actions

You could do these in a week:

✔ Create security@yourcompany.com for reporting

✔ Add MFA to Microsoft 365 & finance apps

✔ Ask new starters to complete a 20-minute cyber induction

✔ Enrol staff on low-cost resilience training

✔ Roll out phishing simulations (Boxphish etc.)

✔ Stop using personal devices for HR & finance work

Small changes, big swing in resilience.

Final Thought

Technology helps you defend. But your people decide whether an attack succeeds.

Train them well, give them guardrails, and you’ve just reduced the single biggest root cause of cyber incidents — without spending a fortune.