Already a customer?
Log a ticket
3d padlock email blue safety internet mail

Email Security: Is Human Error The Greatest Threat?

Share on facebook
Share on twitter
Share on linkedin
Share on google
Share on email

Email is by far the greatest source of cyber security incidents for businesses today – and it’s all thanks to good old-fashioned human error.

How many emails have you sent today? And how many have you received? We’re willing to bet the answer to at least one of those questions is “Quite a lot.” But how many times have you thought about email security in the same period. Twice? Once? Not at all?

The simple fact is most businesses aren’t doing enough to protect themselves from email-related cyber attacks. Indeed, the UK government’s Cyber Security Breaches Survey 2017 found that email accounted for 72% of all identified breaches and 43% of the most disruptive ones among UK businesses.

Technological solutions like spam filters, firewalls and virus scanners can help to minimise risk and damage, of course, but ultimately it’s the users who are the biggest problem. It’s their mistakes that allow hackers to gain unauthorised access to computer networks. It’s their errors that result in businesses losing an average of £1,570 due to cyber breaches. And yet it’s on them you’ll rely if you really want your business to be secure.

Down With Humans

Let’s be honest: humans are generally a bit rubbish. We carry multiple useless body parts with us, we take between nine and 18 months to learn to walk, we’re terrible at choosing passwords, and we constantly make mistakes. So many mistakes.

A lot of those mistakes happen in our personal lives, of course (usually as the result of alcohol), but in a professional setting, they’re behind the vast majority of cyber security incidents. According to the IBM Security Services 2014 Cyber Security Intelligence Index, “over 95 percent of all incidents investigated recognize “human error” as a contributing factor”.

People having a meeting - email security
Your people are your weakest link but also your strongest defence

In a separate, more recent survey, brokerage firm Willis Towers Watson put the figure at 90%, further supporting the idea that human error is the number one security threat to most businesses.

Of course, within that 90-95%, there will be plenty of non-email-related threats, like social media fraud, denial of service attacks and scam phone calls – all attack vectors that may exploit human error. But email is a special case, because of its unique relationship with business. Practically all businesses use email, and frequently, each employee will have their own email address – all of which are potential targets. There are many other ways of communicating with colleagues, such as phone and instant messaging, but email is simple and convenient – and it’s a major source of cyber security threats.

Email Security Threats

Before you can start working on your email security, you need to understand what the dangers are. How is email used to attack businesses? There are few different methods, and they nearly all rely on human error.


Everyday, business people send files to each other via email. Invoices, spreadsheets, proposals and so on. For hackers, it’s easy to disguise malware as a legitimate file, which unsuspecting victims may download without a second thought. That malware could do a number of things. It might steal data, including financial information, which is then either used to commit fraud or sold on the black market, and then used to commit fraud. Or it could, perhaps, install ransomware, which can make data or whole computers inaccessible, until the hackers are paid a ransom – usually in untraceable cryptocurrency.


It’s all too easy to see a link and to click on it. But links may not go where they claim to. Instead of being taken to a legitimate website, you may be directed to a rogue website that automatically downloads malware to your computer.

Email security
How secure is your business’s email


Phishing involves tricking victims into divulging sensitive information – things like passwords, banking details and personal data. This information can then be used to commit fraud or sold to others who will commit that fraud instead. One example is a fake email from a bank, which asks you to click a link to log into your online account. This link, however, goes to a fake version of the website in question, and it then proceeds to steal your login details. The consequences of these attacks can be devastating.


Normal phishing involves sending the same email to thousands or millions of potential victims. A fake banking email, for example, will go to many people who aren’t even customers of that bank. With spearphishing, the scam is much more targeted. Criminals will spend time investigating their targets beforehand, learning the names of important staff members and identifying weaknesses in security. This all makes spearphishing much harder to spot and much more dangerous.

Email Security Starts With You

Combatting human error is clearly a priority that should be addressed by any security-conscious organisation. That involves ongoing training and education, across your entire business. After all, it only takes one weak link to break the whole chain.

When it comes to email security training, there are many options, but one example that we’ve found works well is Webroot Security Awareness Training. Created by security firm Webroot, it offers a comprehensive collection of training resources to educate users about cyber security – including fully featured phishing simulation.

Using this phishing simulator, TMB can create fake phishing emails, which we send to your staff, to gauge their current security awareness and to ultimately point them in the right direction. For example, we could send an email that claims to be offering a free Amazon voucher. When they click the link to claim their voucher, they’re instead directed to a training video, which informs them that they’ve fallen for a phishing attempt and presents them with relevant training material.

Combined with technologies that can block spam email and detect real phishing attempts, resources like Webroot’s Security Awareness Training can make real difference to the ongoing safety of your business.

If you’re interested in trying out Webroot’s Security Awareness Training for your own business, call TMB on 0333 900 9050 or email us at

Leave a Comment

Your email address will not be published. Required fields are marked *


TMB Privacy Policy

Why do we hold personal data?

Like any business, TMB Group has to keep personal data about staff, clients and potential customers. When you fill in the contact form on our website, for example, we need to keep a record so we can get back to you. Data is also held so we can deliver our services and so we can provide useful information, such as security update news.

What data do we keep?
Depending on our relationship with you, we’ll hold information such as your first and last names, your email address, your phone number and your postal address. We will also possibly have details about your business and those who work for you. If you’re a customer, then we may have some of your banking detail so we’re able to accept payments for the services we provide.

How is your data stored?

As a responsible IT company, TMB stores personal data on secured computer systems. Anything that is archived will be placed on encrypted drives.

We do use third-party customer management software, Autotask, which means data may be stored on their servers, but only the data we need to deliver our services. The same goes for the Microsoft services we use, such as Word, Excel and PowerPoint, which store information on Microsoft’s cloud servers. We also use Mailchimp for marketing purposes: to send emails and to manage subscriber lists.

These third parties are not permitted to share your data or to use it for marketing purposes. You can find Autotask’s privacy policy here: Microsoft’s privacy policy for Office 365 is here: Mailchimp’s policy is here:

How long do we keep your data?

We will keep your data in our systems until it is no longer relevant to our business, but you can request that we remove or update it at any time. We will also inform any relevant third parties of your request.

Access to your information

The key thing to remember is that your data belongs to you. That means you can request copies of your personal data any time you like, or to access and update it. You also have the right to be forgotten, so if you ask that we delete your data, we will do so or provide a valid reason why we are unable to. We will, of course, require proof of your identity before addressing any such request.

Depending on your request, your information may be provided to you electronically. In such cases, it will be provided in a commonly used format.

Unsubscribing and deletion

Unsubscribing is not the same as a request for us to delete personal data. If, for example, you unsubscribe from a mailing list, it is necessary to keep your email address on record to prevent marketing email from being sent to you. If we were to delete that information, we would have no way to tell if you have unsubscribed. Nevertheless, you still have the right to request erasure of your personal data.

Your right to complain

If, for any reason, you are unhappy with the way your personal data is treated by us, you have the right to complain to a supervisory authority. In the UK, that would be the Information Commissioner’s Office (ICO).

Website analytics

Anyone who visits our website will automatically have data about them collected via Google Analytics. This gives us broad information about what people are doing on our website and which pages they are looking at. It does not provide us with personal information that could be used to identify individuals.


Cookies are small text files that web browsers receive from websites. They are stored on your computer, and they enable sites to do things like remember if you’ve visited before, if you’re a customer, what your preferences are and so on. You are entitled to view our website without them, but you may lose this kind of functionality if you do so.

International data transfers

Information that we collect may be stored and processed in and transferred between any of the countries in which we operate in order to enable us to use the information in accordance with this privacy policy.

Data controllers and processors

TMB is the controller for marketing activity and personal data/special category data we hold on our own employees, but we are the processor when processing our customers’ personal data (e.g. buying a licence for a named individual).  We  may use sub-processors for processing data given to us by customers.

What we won’t ever do is sell your data. And if you sign up to our mailing list, you’ll only receive marketing material from TMB as a result – no one else.

For any questions regarding your data, contact TMB’s technical director, Richard Shuker, at or write to us at A1 Endeavour Business Park, Penner Road, Havant, Hampshire, PO9 1QN..