Human Error, Email, and the New Era of Cybersecurity

Human error is still responsible for most data breaches - and email is often to blame.

To tackle the risk, regulated firms are moving beyond blame and towards better tools, culture, and smarter design.

We’ve all sent the wrong email. The wrong attachment. The wrong name.

And in an era of rising accountability, from Post Office IT scandal prosecutions to the Online Safety Act's new age verification laws, communications are under more scrutiny than ever.

It only takes a moment - and suddenly, the wrong person has access to sensitive information.

In regulated sectors, that kind of error is more than embarrassing - it can be costly - reputationally and financially.

So, what can be done when the problem isn’t a system flaw or a criminal hacker - but someone trying to do their job?

It starts with how we manage risk - and how we support the people behind the keyboard and mouse.

Why Human Error Tops the List

More than 90% of security incidents involve human mistakes.

In the UK last year, over 75% of data breaches reported to the ICO weren’t cyber attacks - they were human mistakes.

According to the ICO’s statistics, the number one reason personal data is compromised is because someone sent an email to the wrong person.

It’s not that people don’t care. It’s that mistakes are easy to make - and easy to miss. Especially when systems aren’t set up to prevent them.

Human Risk Management: A Better Way Forward

Historically, the go-to fix for human error was training - a course, a quiz, maybe a phishing simulation.

But those approaches often stop short of making a real difference.

Human risk management aims to go further, providing more continual and consistent support.

It treats risky behaviours the same way we treat any other operational risk - something to measure, manage, and reduce over time.

That includes analysing behaviour patterns, nudging better decisions, and designing processes that help people get it right by default.

"The goal isn’t always to eliminate mistakes - it’s to make them less likely, less damaging, and easier to recover from."

Paul Holland, Founder, Beyond Encryption

How Leading Firms Are Taking a More Proactive Approach

The most forward-thinking organisations are building protection around the reality of how people work - especially when it comes to email.

1. Encrypting and Controlling Emails by Default

Email was never designed to be secure.

Modern approaches to email security assume that every message could be intercepted - locking down sensitive content as standard.

That means using end-to-end encryption for all private communications.

Some tools do this automatically, applying a high level of security for all emails sent by a particular person, department, or process.

Others make it easy to secure messages from your usual email platform - removing the need for manual steps or extra systems.

This aligns with a broader data loss prevention strategy - one that prevents sensitive data from leaving the business without the right controls in place.

Identity, Mistakes, and Misplaced Trust

When someone’s identity is exposed online, it’s rarely just their name that gets out. It’s their reputation, their safety, and their sense of control.

The recent unmasking of the founder of Tattle Life - an anonymous gossip platform - reignited the debate around digital privacy and responsibility.

Users had shared controversial opinions under the assumption of anonymity.

But as the founder’s real identity was revealed, so were questions about who should be held accountable for what happens in their name - and what safeguards are in place to protect identities online.

While the context is very different, regulated firms face a similar core challenge: how to prove someone is who they say they are when accessing sensitive data - and how to avoid trusting the wrong person.

When email addresses can be guessed or autofilled, identity checks matter - especially when the information being shared could lead to financial or reputational damage if it ends up in the wrong hands.

It’s a lesson also reinforced by the Capita data breach fallout, where the ICO warned firms over third-party mishandling of personal data - knowing who’s on the other end of a message is essential compliance.

2. Verifying Recipients, Revoking Mistakes

With modern recipient authentication, typing (or auto-filling) the wrong email address doesn’t have to lead to a breach.

Secure email platforms are adding identity checks to make sure only the intended recipient can open an email.

If a message does go to the wrong person, you can revoke access, potentially even after it’s been successfully delivered.

It’s an extra layer of protection for that inevitable mistake - and it could turn a potential breach into a non-event.

3. Designing Security That Works for People

People aren’t the weakest link - they’re the front line of defence.

But they need systems that support them, not trip them up.

The best firms are rethinking how email and data security integrate with their existing processes and platforms.

They’re reducing friction, prompting people at the point of risk, and building a culture where mistakes can be raised and resolved early.

Platforms with built-in security alerts that detect sensitive content - such as certain keywords - can prompt users to send messages securely at the same time as driving good security habits and building awareness.

4. Meeting (and Beating) Regulatory Expectations

Email errors are a significant area of concern for regulators.

The ICO has been clear: sending personal data to the wrong person can count as a reportable breach, even if it was a simple mistake.

The FCA goes further. Under the Consumer Duty, firms must prevent “foreseeable harm” - and that includes harm caused by unsecured or misdirected communications.

After the Capita data breach, the ICO reminded organisations that outsourcing services doesn’t outsource responsibility.

If your data is mishandled - even by a third party - you’re still accountable.

That’s why more firms are putting safeguards in place: encrypting messages, verifying recipients, and giving teams the tools to spot risk before it becomes a problem.

Regulators want proof. Clients want reassurance. The right email controls deliver both.

Why This Is About Trust, Not Technology

This goes beyond a tech issue. It’s a question of trust.

Your clients expect you to handle their data with care.

And when they know you’ve built the right protections around people, that trust only grows.

By embedding email security into everyday workflows, firms are not just managing risk - they’re building resilience.

That’s the value of a human-centred approach.

FAQs

What Is Human Risk Management in Cybersecurity?

Human risk management is a way to reduce the chance of human error by understanding behaviour, supporting good decisions, and designing systems that make the right actions easier.

Why Is Outbound Email a Key Area of Human Risk?

Because it’s used constantly to share sensitive data - and it’s easy to get wrong. A small mistake, like a mistyped address, can have big consequences.

How Does Secure Email Help Manage This Risk?

Secure email platforms like Mailock can encrypt emails end-to-end.

Mailock also checks recipients before they can open them, prompts users when messages look sensitive, and gives senders the power to revoke access if needed - without disrupting their usual email workflow.

References

ICO Email Security Guidance, ICO, 2025

FCA Consumer Duty Rules, FCA, 2025

Secure Communication Principles, NCSC, 2025

95% of Data Breaches Tied to Human Error, Infosecurity Magazine, 2024

Reviewed by

Sam Kendall, 06.08.25