– Gareth Shaw, MD Pera Prometheus
Throughout my military career and now as a security consultant, I’ve witnessed the relentless evolution of information and cyber threats. While technology has advanced, bringing sophisticated defences to counter increasingly complex attacks, one vulnerability remains constant: the human element.
For businesses in the UK Defence Industry supply chain, employees are often the first point of contact for cyber attackers, the ‘low hanging fruit’ they rely upon to compromise your security and gain unauthorised access to your systems. Your Staff can be your greatest weakness or your strongest asset, essentially your human firewall. For small and medium enterprises (SMEs) handling sensitive data and navigating strict regulations, investing in employee security awareness training is not just advisable, it’s essential.
Social engineering takes advantage of instinctive and social behaviours that have developed in humans over millennia but a small amount of security awareness training can counter this vulnerability provided that the training is relatable to the audience. I must stress however, that training must be effective, just going through the motions achieves nothing. Employees playing a training awareness module on one screen while do other work on another won’t improve your security but will waste your money. Get your Teams in a room with an experienced security professional who can provide relatable, eye opening awareness training that they can truly engage with and challenge.
In this blog, I make the case for building a robust human firewall by examining real world security breaches, the power of phishing simulations, and practical steps to enhance your defences.
The Scale of the Problem: Human Error in security breaches
Human vulnerability is a leading cause of security breaches worldwide, and the UK is no exception. According to the UK Government Cyber Security Breaches Survey 2025, 43% of UK businesses experienced a cyber attack or breach in the past 12 months, with phishing attacks being the most common threat, affecting 84% of businesses that reported incidents.
Even more striking, research from Cost of a data breach 2025 | IBM indicates that 26% of data breaches can be attributed to human error, such as clicking on phishing links, using weak passwords, or accidentally sharing sensitive data. 16% of breaches involved attackers using Artificial Intelligence (AI) for example; AI phishing, and deep fake impersonation attacks, indicating the escalating AI arms race.
For SMEs in the UK Defence Industry, the stakes are higher. A single breach can compromise sensitive contracts, disrupt supply chains, or damage relationships with the corresponding negative impacts upon credibility, reputation and reliability.
Common human errors include susceptibility to:
- Phishing vulnerabilities: Employees clicking on malicious links or sharing credentials in response to fraudulent emails. Given the increase in the use of AI to facilitate these attacks, it is becoming harder to identify an attack from a genuine email.
- Using weak passwords: Using easily guessed passwords or reusing them across multiple platforms. There are technology solutions which can support your staff to use complex passwords and multi-factor authentication.
- Accidentally leaking data and information: Sharing sensitive information via unsecured channels or misconfigured systems. Focussing on ‘getting the job done’ at the expense of complying with business process, to meet deadlines etc, is a contributory factor to this vulnerability.
These mistakes highlight why employees can be the weakest link, but with proper training, they can become your greatest strength.
Notable UK Data Breaches Caused by Human Error
Human error remains a significant cause of data breaches, even in highly regulated sectors like the UK Defence Industry. Below are three notable UK incidents between 2023 and 2025, illustrating how simple mistakes can lead to severe consequences and underscoring the importance of employee security awareness training.
- Police Service of Northern Ireland (PSNI) – August 2023: The PSNI accidentally disclosed the names, ranks, and roles of approximately 10,000 officers and staff in response to a Freedom of Information (FOI) request when an employee included sensitive data in an unredacted FOI response. A separate incident the following day involved the theft of a spreadsheet containing the names of 200 officers and staff due to poor data handling practices. The breach endangered officer safety, as the data could be exploited by malicious actors. The Information Commissioner’s Office (ICO) highlighted the cause to be lack of managerial oversight and security awareness training.
- UK Local Councils (Multiple) – 2023 and 2024: Over 5,000 data breaches were reported across UK local councils in 2023, with 2,400 in 2024, including incidents at Surrey (634 breaches) and Kent (734 breaches) County Councils. Breaches were caused by human errors such as sending emails to incorrect recipients, misplacing paperwork, and inappropriate data sharing. These incidents were the result of inadequate cyber security procedures for SMEs and a lack of ongoing staff training. It compromised sensitive citizen data, leading to ICO investigations and fines in some cases. Councils faced reputational damage and increased pressure to implement information security awareness programmes to address recurring errors.
These incidents illustrate that human error, ranging from careless email handling to inadequate system checks, can have far-reaching consequences. For defence SMEs, where data sensitivity is paramount, security awareness training is essential to mitigate such risks.
The Power of Phishing Simulations: Building Resilience
Amongst all the security training, phishing simulations are a proven tool for reducing the risk of human error. These controlled exercises mimic real-world phishing attacks, allowing employees to practice identifying and responding to suspicious emails in a safe environment. For SMEs in the defence supply chain, where phishing is a primary attack vector, simulations are a game-changer in educating Staff to identify an attack from a genuine email.
The UK Cyber Security Breaches Survey 2025 notes that phishing attacks are growing more sophisticated, with AI-driven impersonation tactics making fraudulent emails harder to spot. Regular simulations help employees recognise red flags, such as unusual sender addresses, urgent language, or unexpected attachments. According to a 2023 study by KnowBe4, organisations that conduct phishing simulations see a 50% reduction in phishing susceptibility after just three months of training.
For defence SMEs, simulations offer measurable benefits:
- Improved detection rates: Employees become more vigilant, reducing the likelihood of falling for phishing scams.
- Real-time feedback: Simulations provide immediate insights into which employees need additional training.
- Cost-effective risk reduction: Preventing a single breach can save thousands, far outweighing the cost of simulation tools.
This hands-on approach builds confidence and ensures your ‘human firewall’ is ready to face the evolving threat.
Security Awareness Programmes: Creating a Culture of Vigilance
Beyond simulations, comprehensive security awareness training is essential for fostering a security-conscious culture. For SMEs with limited budgets and staff, ongoing training ensures employees understand their role in protecting sensitive data and meeting regulatory requirements.
The National Cyber Security Centre (NCSC) offers free resources, such as the Top Tips for Staff designed to help employees recognise common threats like phishing and malware. Training programmes should cover:
- Recognising threats: Educating staff on phishing, social engineering, and insider threats.
- Best practices: Encouraging strong passwords, secure file-sharing, and safe internet use.
- Incident reporting: Teaching employees how to report suspicious activity quickly and effectively.
For defence SMEs, a strong security culture is particularly critical. The Cyber Security Breaches Survey 2025 found that only 19% of businesses, overall, provide regular cyber security training, with even fewer SMEs prioritising it. Yet, organisations with consistent training regimes report fewer breaches and faster recovery times. By embedding information security awareness into your workplace, you empower employees to act as proactive defenders, not just passive users.
Practical Tips for SMEs: Building an Effective Human Firewall
Starting a security awareness training programme doesn’t have to be costly or complex. Here are some actionable steps for you can take to becoming more security resilient:
- Leverage free resources: Use NCSC’s free Small Business Guide and Top Tips for Staff training modules to educate employees without breaking the budget.
- Schedule regular phishing simulations: Conduct simulations quarterly to keep employees sharp. Tools like those offered by Get Safe Online or Cyber Essentials partners are affordable and effective. Get in touch with Pera Prometheus to get advice on this.
- Make training engaging: Use real-world examples, such as recent phishing scams targeting the defence sector, to make sessions relevant and memorable.
- Set clear policies: Create a simple security policy covering password management, email safety, and incident reporting. Ensure all staff are familiar with it.
- Measure progress: Track metrics like phishing simulation click rates or incident reporting times to gauge training effectiveness.
- Encourage reporting: Foster a no-blame culture where employees feel safe reporting mistakes or suspicious activity. Have a reporting process in place.
If you struggle or don’t know how then Pera Prometheus can help tailor these initiatives to your specific needs, ensuring compliance with UK defence industry cyber security standards while maximising your team’s preparedness.
Your Employees are the First and Last Line of Defence
Technology alone cannot protect your business from information and cyber threats. Firewalls, antivirus software, and encryption are critical, but they’re only as strong as the people using them. By investing in employee training and phishing simulations, SMEs and UK Defence Industry partners can transform their workforce into a robust human firewall. This not only reduces the risk of costly breaches but also ensures compliance with Cyber Essentials and ISO 27001, enhances client trust, and strengthens your position in the competitive defence sector.
