Cybersecurity Without Human Risk Is Half a Solution

You have the firewalls. You have the monitoring. You patch, you segment, you test your incident response. As technical security improves, attacks logically shift toward people. That is why you run awareness training, conduct exercises, and perform phishing tests. And still, you know it is not enough. The incidents that keep you up at night do not start with technology alone, but with people as insider threats. And that requires a fundamentally different type of analysis than most organizations apply today.

People have a context that systems do not: financial pressure, loyalties, external influence, and personal circumstances. That context makes individuals susceptible in ways no system can detect and no annual training can eliminate.

It is not a new observation that humans are the weakest link. What has changed is how systematically that link is being targeted. State actors and organized criminals increasingly focus on employees within organizations, as they provide the shortest path to critical systems, locations, and information. Employees are financially incentivized, coerced, or pressured, as highlighted in the Insider Risk Trend Report 2025¹. The percentage of organizations experiencing insider incidents, including espionage, fraud, sabotage, and data breaches, increased from 66% to 76% over the past five years¹.

‍

This is where many security programs fall short. Insider threat is often treated as an intent problem: someone has malicious intent, so you screen for criminal records and request background checks. However, the most dangerous situations do not arise from malicious individuals, but from vulnerable ones.

An employee with extensive access rights, financial pressure, and an unclear role is a risk — even if acting in good faith. Vulnerability is not always visible in a database. It requires a different type of assessment: not compliance-driven, but intelligence-driven and focused on human risk. Screening is not about distrust toward candidates; it is about due diligence toward the organization and the individual, protecting them from being placed in a position that makes them vulnerable.

‍

Human risk does not exist in isolation. This misconception leaves organizations exposed. Physical, digital, organizational, and human vulnerabilities are interconnected and require an integrated security approach. Regulations such as the Critical Entities Resilience Act and the Cybersecurity Act (NIS2 implementation) focus on physical and digital resilience, while national security is further reinforced through frameworks such as the General Security Requirements for Government Contracts (ABRO), which also impose requirements on personnel and organizational measures.

Voluntary compliance is no longer an option. Boards increasingly face both proactive and reactive oversight, as well as reporting and duty-of-care obligations. Failure to comply is considered improper management and can result in administrative penalties for both the organization and individual board members. This makes human risk a board-level issue. Not as an abstract concern, but as a demonstrably controlled risk: are access rights properly aligned with roles, is there role-based screening for critical positions, are third-party and contractor policies in place, and are there procedures for handling signals that are not directly visible in systems?

If these questions cannot be answered and documented, they are not under control when an incident occurs.

You secure your systems. But who is securing the people within them? And can you demonstrate today that you take this seriously, not only to your board but also to a regulator who will ask exactly that question after an incident?

Managing human risk starts with an honest risk assessment: for which roles in your organization can a single individual, through vulnerability or misuse, cause significant harm? Based on that assessment, proportional screening follows, going beyond what databases reveal: financial vulnerability, international connections, personal circumstances. Not as a standard check for everyone, but tailored to the actual risk profile of the role.

Proximities supports organizations in vital, critical, and essential sectors in implementing this in a practical and proportionate way, from screening policies and role matrices to carefully conducted investigations when there are indications that more is at play than “just an incident.” For more information, please contact us for a non-binding consultation.

¹ Signpost Six, Insider Risk Trend Report 2025, gepubliceerd januari 2025, via Emerce.nl en Securitymanagement.nl.

² NCTV / Digitale Overheid, Cyberbeveiligingswet (Cbw), implementatie NIS2-richtlijn.

³ La Gro Advocaten, Bestuurdersaansprakelijkheid in Cybersecurity, 2024.

⁴ Richtlijn (EU) 2022/2555 (NIS2), artikel 20 en artikel 21, EUR-Lex.