Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Business support
  4. Technology
  5. Cybersecurity guide
  6. Hot topics
  7. Why human error is still your top cybersecurity risk

Why human error is still your top cybersecurity risk

We deal with countless cyber incidents every year and most of them have one thing in common - human error. A common example is of staff falling for a phishing campaign and giving away secure login credentials that allow the criminals to gain access to your business. System administrators can also be the root cause - we see examples of bad configuration and disabled security controls, which leave the business wide open to attack.

Remote working can increase risk. Staff tend to behave differently in a more relaxed, home based environment and may let their guard down. Cyber criminals know this, and attack using mass phishing emails, trick text messages and impersonation phone calls. They gather information and exploit vulnerabilities. Defending against this requires a far more sophisticated approach than technology alone.

You need a layered approach to control the “human factor”.

Policies

The starting point is to agree what is allowed and what is not allowed. Are your staff aware of your policies and processes? That is not to say that everything should be banned, far from it, but understanding the risks attached to your policies allows you to put in place appropriate mitigations. A common example is staff using company computers to login to personal accounts such as Google. Another is allowing the use of personal mobile phones to access work emails. If uncontrolled, these two things can cause significant issues. Does this sound like your business? If so, we recommend you do something about it.

Preventative controls

Only when you understand what your policies are, can you begin to consider how you configure the technology that you already have in place. Your software and systems will have controls that can dramatically reduce the risk if you get an expert to properly configure them. From web browser settings, through antivirus configuration, to laptop configuration, getting these working together coherently, reduces your reliance on staff.

People competence

It is not enough just to tell people to be careful and to look out for “dodgy emails”. Training, testing, simulation, and communication are the tools required to improve staff competence against these threats. Typically, we find 20%-25% of staff will fall for a simulated attack but this can be addressed by implementing a proper cyber awareness programme. Effective training and improved communications will start to change culture.

Governance

This final layer is mainly about some proportionate measures to make sure you stay in control and to help you sleep at night. How often do you check that staff are complying with your policies? Do you have any kind of independent assurance that the configuration and controls that you have set-up actually provide protection, continue to work, and are not becoming ineffective over time?

At its core this is all about risk management. You need to make yourself aware of the cyber threats facing your business and the likely consequences of successful cyberattacks. The layers above should be used to mitigate and control the risks to reduce them to an acceptable level.

This article was produced by our Strategic Partners Mitigo. Take a look at their full service offer on our member benefit page

Add To Favorites

Additional

  • Hot topics

In this section

  • Why human error is still your top cybersecurity risk
  • Six cyber security resolutions for your firm
  • Cyber security in a year of crisis
  • Ransomware – the alarming trend in 2020
  • Cyber attacks and home working
  • The real cost of a cyber incident
  • Email account takeover
  • Invoice hijacking
  • Out of office risks
  • Why cyber insurance isn’t a substitute for cyber risk management
  • The battle against cybercrime – new government proposals
  • New Government Cyber Governance Code of Practice – it’s a question of leadership
Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited