The problem with most cybersecurity isn’t hackers but it’s your own people. Here’s how to fix it. Living Security, a company in Human Risk Management, just put out a new 2025 report on human cyber risk. They worked with research experts at Cyentia Institute to study how people behave at work and what that means for security.
The study shows that smart people-focused programs can cut risk 60% faster than old-school methods. Most companies spend millions on fancy security tools. Firewalls, AI systems, threat detection software – you name it. But here’s what nobody talks about: your biggest security risk is sitting at a desk in your office right now. It’s your employees.
The 10% Problem
A new report just dropped some eye-opening numbers. Get this: only 10% of your workers cause 73% of your security problems. Think about that for a second. A handful of people are creating almost three-quarters of your risk. They’re not doing it on purpose—they’re just clicking bad links, using terrible passwords, and ignoring your security rules.
The good news? Fix those few people, and you’ve solved most of your problems.
Most Training Is Useless
Here’s something that might shock you: those boring security training videos everyone sits through? They only show you 12% of what’s really happening with your people. It’s like trying to drive a car by only looking through a tiny peephole in the windshield. You’re missing almost everything.
Companies that actually know what their people are doing—the ones tracking real behavior across their systems—see five times more than everyone else. And surprise: they have way fewer problems.
Your People Are Actually Helping (Mostly)
Before you start panicking about your employees, here’s the twist: 78% of them are actually making you safer. These are the folks who finish their training on time, report weird emails, use password managers, and follow the rules. They’re not the problem—they’re part of the solution.
Even better? Those remote workers everyone worries about? They’re actually less risky than the people sitting in your office. Go figure.
It Actually Works When You Do It Right
Here’s proof this isn’t just theory. Companies that started tracking their people’s actual behavior and coaching the risky ones saw amazing results:
- 50% fewer risky employees in just one year
- 60% less time employees spent being risky
- 98% reduction in data loss risks
Translation: this stuff actually works when you do it right.
What You Need to Do
If you’re running a company, here’s your action plan:
- Stop wasting money on training that doesn’t work. Start tracking what people actually do, not just whether they watched a video.
- Find your 10%. Figure out who’s causing most of your problems and help them specifically.
- Use your good people. The 78% who are already doing things right can help influence the rest.
- Make it simple. Don’t overcomplicate this. Focus on the basics that actually matter.
The Bottom Line
Cybersecurity isn’t really about technology anymore. It’s about people. And people can change when you give them the right information and support. Your riskiest employees aren’t your biggest problem. Your biggest problem is not knowing who they are.
Fix that, and you’ll fix most of your security headaches. It’s really that simple.