There’s not a single person alive who hasn’t made mistakes. It’s part of being human. We forget things. We take shortcuts. We get tired, distracted, or careless. Normally, these little errors don’t matter much, sending a text to the wrong group, leaving your phone on the car roof, misplacing your keys.
But in cybersecurity, human mistakes can have massive consequences. In fact, IBM found that 95% of cyber breaches are caused by human error. Put differently, if we could magically erase human mistakes, 19 out of 20 cyber incidents might not even happen.
That’s how big the problem is. And yet, when most people talk about cybersecurity, they talk about firewalls, encryption, or the latest hacking tools. The human side, the everyday decisions people make at work are often ignored.
So let’s talk honestly about human error in cyber incidents. Why do people make these mistakes? What kinds of errors are most common? And more importantly, what can organisations actually do about it?
What We Mean by “Human Error”
When we say “human error” in cybersecurity, we don’t just mean clumsy mistakes. It refers to unintentional actions or inactions that cause or allow a security breach.
Think about it like this:
- An employee clicks on a phishing email and hands over their login details.
- Someone forgets to install a critical software update.
- A worker reuses the same weak password across multiple systems.
- A team member sends a confidential document to the wrong person.
- Employers design systems and processes that are overly complex, pushing employees into shortcuts and mistakes.
These aren’t deliberate acts of sabotage. They’re ordinary slip-ups in the middle of busy workdays. But cybercriminals thrive on them. A single wrong click or overlooked patch can open the door to an entire organisation’s systems.
Two Types of Human Error
Not all mistakes are the same. Most fall into two categories:
1. Skill-Based Errors
These are slips and lapses. The person actually knows the right thing to do but makes a mistake in the moment.
- Typing the wrong email address and sending sensitive data to the wrong person.
- Forgetting to lock your laptop before stepping away.
- Putting email addresses in the “To” field instead of “BCC.”
These are the “oops” moments caused by distraction, fatigue, or oversight.
2. Decision-Based Errors
These happen when someone makes the wrong choice because they lack knowledge or context.
- Using “123456” as a password because they don’t realise how easy it is to crack.
- Clicking a fake link because they’ve never been trained to spot phishing attempts.
- Ignoring a software update because they don’t understand how urgent it is.
These are harder to fix because they come from not knowing, not just from being careless.
Real-World Examples of Human Error
Human mistakes have caused some of the most damaging cyber incidents in history. In 2016, BBC reported that one NHS clinic in the UK accidentally exposed the names of almost 800 patients who had attended HIV clinics. This was through a newsletter in 2015 that mistakenly revealed the recipients’ email addresses to one another. Patients were supposed to be blind-copied into the email but instead details were sent as a group email. That wasn’t a hack, it was a human mistake.
Another example is leaving confidential files on a desk. Letting an unfamiliar person “tailgate” behind you into a secure office. These seem small but can expose an organisation to serious risks.
Photo Credit: Copilot
Why Do People Keep Making These Mistakes?
It’s easy to say “people should know better,” but that oversimplifies the issue. Human error in cybersecurity often comes down to different factors.
The more chances there are for something to go wrong, the higher the likelihood that it will. If employees are juggling 10 different logins with 10 different passwords, someone will eventually slip up.
The workplace itself matters. Are people rushed, stressed, or constantly interrupted? Is the office culture one where “getting things done fast” matters more than “doing things securely”? In such environments, mistakes multiply.
Many errors happen due to lack of awareness, simply because people don’t know what the risks are. If no one has explained why phishing works, or why public Wi-Fi is dangerous, it’s not realistic to expect employees to always make the right choice.
What Organisations Can Do About It
The good news is, human error doesn’t have to be the silent killer of your cybersecurity strategy. Here’s how organisations can handle it:
Reduce Opportunities for Mistakes
- Give employees access only to the systems and data they need for their jobs. Less access means fewer opportunities to mess up.
- Deploy password managers and enforce multi-factor authentication. This reduces password fatigue and lowers the risk of weak or reused credentials.
- Don’t rely on users to install patches, make updates automatic wherever possible.
Build a Security-First Culture
- Talk about it often. When it’s part of everyday conversations, employees take it more seriously.
- People should feel safe asking, “Is this link safe?” or “Should I share this file?” without fear of being judged.
- Acknowledge when someone reports a phishing attempt or points out a vulnerability.
Train Smarter, Not Harder
- Use real-world examples that employees can relate to.
- Simulate phishing attacks and give instant feedback.
- Teach small, repeatable habits like double-checking email recipients or locking screens.
Cybersecurity often gets painted as a battle of hackers building new tools, defenders building stronger firewalls. But the truth is, the real frontline is human behaviour. Attackers know this. That’s why phishing remains the number one attack method, why ransomware spreads through missed updates, why so many breaches start with an ordinary person making an ordinary mistake.
If organisations want to get serious about security, they can’t just buy more technology. They need to design systems that support people, foster cultures where security is everyone’s responsibility, and train employees in ways that actually stick.
Because at the end of the day. People are the most important asset and they need to make better choices.