SME cybersecurity: what ratio of human error versus cybercriminal in data breach losses?
Most breaches start with a human mistake, but criminals drive the cost. Learn practical SME controls aligned to NCSC and Cyber Essentials.
A finance team clicks one convincing email; six hours later you are locking down Microsoft 365, calling the bank, and trying to work out whether you must report to the ICO within 72 hours. For UK SMEs, the uncomfortable truth is this: losses are usually caused by cybercriminals, but incidents often start with human error.
Verizon’s 2024 Data Breach Investigations Report (DBIR) found the “human element” featured in 68% of breaches. That does not mean 68% were “staff being careless”; it includes people being tricked, people mis-sending data, and people making configuration mistakes that create openings. The attacker still chooses to exploit it; the cost still lands with the business.
What does “human error” mean in a breach, in plain English?
Human error is any people-related factor that enables a security incident. In SMEs, it typically looks like:
* A misdirected email containing personal data, often to the wrong customer or supplier.
* A successful phishing message that captures a password or MFA code.
* A rushed admin change such as disabling a security feature “temporarily”, then forgetting.
The ICO’s incident trend reporting consistently shows accidental disclosure and misdirected communications as recurring themes in personal data incidents. These are not Hollywood hacks; they are everyday operational slip-ups that become UK GDPR headaches.
What counts as “cybercriminal activity”, and why it dominates the losses?
Cybercriminal activity is the deliberate abuse of systems for money, disruption, or data theft. In SME terms, the big-ticket losses tend to come from:
* Business email compromise (BEC) and invoice fraud; attackers redirect payments.
* Ransomware; operations stop, recovery costs spike, customers get nervous.
* Credential stuffing and account takeover; attackers reuse leaked passwords to get into cloud services.
So, what is the ratio? A realistic working model for advisers is 70:30 in cause and effect:
* Cause (entry point): often human-enabled (phishing, mis-send, misconfiguration).
* Effect (financial loss): largely criminal-driven (fraud, extortion, resale of data).
It is not a clean split because the same incident can include both; a staff member is phished (human element), then the criminal exfiltrate’s data and extorts you (criminal action).
