These findings are from SoSafe’s 2024 Human Risk Review, which examined the cyber threat landscape and corporate security culture using responses from over 1,250 security leaders in Western Europe and 3.2 million data points from the SoSafe awareness and human risk management platform.

Half of the security professionals surveyed experienced a successful cyberattack in the past year, with 52% of respondents in Europe and 55% in the UK reporting incidents. The impact is significant: 60% of professionals rated the risk of a substantially negative impact from cyberattacks as high. Human vulnerability is identified as the primary cause of successful cyberattacks (36%), and Forrester predicts this could rise to 90% in 2024, highlighting the urgent need for behavioural-based approaches to involve employees actively in cyber defences.

Dr Niklas Hellemann, psychologist and CEO of SoSafe, said: “Organisations are caught in a pincer movement, with threats rising from every angle. This current age of geopolitical instability is creating new motives and new opportunities for criminals and state actors to cause damage. With access to the latest, sophisticated AI-powered tools, attacks are coming in unexpected forms from unexpected plans. We must not underestimate the size and scale of this threat and empower people to confront it, helping organisations to establish the human layer as most versatile part of their security strategies.” 

What’s behind the rising cyber risk 

The Human Risk Review finds three primary accelerators behind this increasingly dangerous environment: new technologies, global instability and interconnectivity:

AI can automate mass spear phishing campaigns, making them more efficient and easily translatable into multiple languages. It also increases the credibility of attacks through advanced techniques like voice cloning and deepfakes (as seen in a deepfake case in Hong Kong) and improves the quality of malicious content by reducing errors. Even non-professional users can use tools on the black market to create attacks at scale. Nearly four in five security leaders in the UK (84%) said that use of generative AI by cybercriminals was a concern, rising to 93% for organisations with more than 5,000 employees. Deepfake technology poses a significant risk to their organisation, according to 84% of respondents. 

 Rising global insecurity can create the conditions for accelerating cybercrime. Three in four (77%) security professionals agree that the geopolitical situation has increased the security risk of their organization. The current geopolitical climate increases vulnerability to attacks, as news stories and political moves provide opportunities for social engineering exploited by cybercriminals. It also leads to an increased complexity of the threat landscape, involving diverse threat actors, such as hacktivists, and attack motives.

The digital world is also ever-closer knit together, allowing more opportunities for cybercriminals to get in the middle of the increasingly connected world. Security increasingly relies on the actions of others, emphasizing that cybersecurity is a shared responsibility. As a result, supply chain attacks are on the rise: 85% of security professionals said that supply chain security has become a more significant concern to them.

The social engineering basics still work despite technological advancement

Cybercriminals are blending advanced technology with traditional tactics to exploit vulnerabilities. Phishing emails, a long-standing method, remain effective. SoSafe’s cyber training programme revealed that 37% of participants initially clicked on harmful content, with 38% of those proceeding to engage further, such as filling out malicious forms and sharing personal information. The highest click rates were triggered by themes related to authority, pressure, anxiety, trust, and intimacy. The most effective simulated phishing email subject line was "payroll accounting error," which induced pressure and anxiety, resulting in a 62% click rate.

SoSafe identified the five most common attack types cited by companies: phishing, malware, DDoS, ransomware, and social engineering beyond phishing and vishing. Notably, more sophisticated attacks like malware and ransomware often begin with phishing or other forms of human manipulation, occurring 80% of the time.

Cyberattacks are increasingly utilising multiple channels. SoSafe noted growing threats from QR codes, supply chain or third-party vendors, and physical security breaches. Although email remains the most popular channel for phishing attacks, its dominance is waning, decreasing from 61% in 2022 to 51% in 2023, as cybercriminals diversify their methods.

Andrew Rose, Chief Security Officer of SoSafe, said: “Cyber criminals will focus on what works. That generally is a mix of the ‘tried-and-true’ along with novel ways of trying to accelerate, personalise and scale their attacks. Employees need to be taught a mix of good foundations that will still be valid as threats evolve, along with ‘security instincts’ that will help them to react to new, evolving attacks as cybercriminals adapt.”

How organisations are reacting 

While strong technical security measures are essential, they alone cannot protect against the tactics of modern cybercriminals. The workforce must be strengthened by tapping into an organisation’s greatest resource – its employees. 94% of security professionals in the UK said building a security culture in their organisation is a key priority.

The executive board and senior leadership are increasingly engaged with these decisions. Essentially every organisation (99% of respondents) said that senior executives and the board are involved in cyber security governance and decision-making. Three in four UK respondents said focus on security increased over the last three years (73%), compared to 58% of all respondents, and that cyber security is a core component of their business strategy (67%).

Three in four (74%) of organisations increased their cybersecurity budget in the last two years, with 52% doing so due to the growing threat landscape and technological advancements, and 42% following incidents or breaches.

Dr Niklas Hellemann said: “The human-centric approach to cybersecurity is neither novel nor untested. We’ve worked with thousands of companies over a number of years. It’s affirmed what I’ve known since the company’s foundation: a behavioural approach to sustainably mitigate human risk and empower employees works. In only a year, our customers increased reporting rates up to 147% which is a clear indication of established proactive security cultures. Together with our customers, we’ve created thousands of ‘cyberheroes,’ who feel confident about their ability to be a part of a human-layer of defence and know that this cohort will only grow in the face of today’s challenges.”