The last year has made one thing plain. Human error, triggered by increasingly sophisticated social engineering, is now the weak link in privacy protection. Attackers no longer rely only on brute force or technical exploits. They find a staff member, pose as a trusted contact, and persuade them to hand over access or data.

In August 2025, Allianz Life in the US confirmed that attackers had gained entry to its cloud-based CRM. The personal information of about 1.4 million customers was exposed. Reports suggest that social engineering played a role, with staff tricked into sharing access credentials.

Other global names including Qantas, Chanel, M&S and Pandora were affected by breaches linked to third-party CRM platforms. Once again, attackers relied on human fallibility as much as technical flaws.

Farmers Insurance reported a breach affecting 1.1 million customers, connected to a targeted campaign against Salesforce users. Google admitted that criminals had impersonated IT staff to trick an employee into granting access to its Salesforce databases, risking data from Gmail accounts on a massive scale.

These incidents are part of a broader pattern. AI-driven phishing campaigns and voice phishing are rising fast. Criminals use cloned voices, fake video calls and convincing emails to undermine even the most cautious employee.

A recent industry survey found that 43 per cent of professionals see employee distraction as the biggest cause of cyber incidents. A further 41 per cent highlighted lack of training as the next most common factor.

Why training and culture are the foundation

None of this is new. The idea that people and culture sit at the centre of privacy is built into every major framework. GDPR requires controllers and processors to put appropriate measures in place, and Recital 78 explicitly calls for organisational steps such as training. ISO 27701 and the NIST Privacy Framework go further, setting out ongoing awareness as a core component.

Breaches like those seen this year show why this emphasis is correct. Technology can block a large volume of threats, but if one person is tricked, the controls fall apart.

IBM has estimated that human error contributes to 95 per cent of breaches. Ponemon Institute studies show that companies with effective training see up to 70 per cent fewer successful phishing attacks. Multi-factor authentication is one of the most effective technical defences and adds vital protection, but it does not replace training. Even with MFA in place, employees can still be manipulated into handing over information or approving fraudulent requests. This underlines the balance between people and technical controls.

What effective training looks like

Training works because it makes people alert to signs of manipulation. Poor spelling, pressure to act quickly, or an odd sender address are red flags. Simulated phishing tests also condition staff to think twice before clicking. Perhaps most importantly, training helps create a culture where employees feel safe to admit a mistake or report a suspicious message. Without that cultural layer, incidents are hidden and damage multiplies. Errors may also stem from misconfiguration, simple oversights, or a lack of checks and balances that leave systems exposed. You should never rely on one person or one control for protection. A layered approach, informed by the nature of processing and an assessment of risk, is essential. Training should be recognised as one of those layers. Even with strong technical measures, staff without the right knowledge can still misconfigure systems or dismiss alerts, so awareness makes the difference.

Many organisations run annual awareness courses, yet breaches continue. The difference between box-ticking and effective programmes is clear.

• Regular touchpoints. Short, frequent training sessions are more effective than long, one-off events.
• Simulation. Phishing tests, social engineering scenarios and real case studies stick in the memory.
• Relevance. Training must be tailored to roles. Finance teams need to recognise invoice fraud. IT staff need to spot impersonation of service providers.
• Positive reinforcement. Staff should be praised for spotting risks, not punished for reporting slips.

Research has shown that training can reduce phishing click-through from 32 per cent to about 5 per cent. This can save hundreds of thousands of pounds per breach.

Leadership backing is critical. If training is seen as something only the compliance team cares about, it will fail. When senior leaders participate and talk about its importance, staff take it seriously.

What to put into practice on Monday morning

Privacy professionals can act now by:

• Reviewing training programmes and refreshing them with real-world examples.
• Building phishing and social engineering simulations into regular workflows.
• Asking leaders to show visible support for privacy awareness.
• Checking access to third-party systems, especially CRMs and cloud platforms.
• Running short awareness sessions on AI-driven threats such as vishing.
• Creating simple channels for staff to report suspicious activity without fear.
• Measuring outcomes with reports, test results and engagement scores.
• Tracking incident reporting trends to see whether awareness is improving and staff feel confident raising concerns.

These are practical steps that reinforce the human side of privacy frameworks. They are not an optional extra. They are the core of sustainable compliance.

Closing invitation

Privacy protection is strongest when people understand the role they play and feel part of a culture that values it. Technology matters, but without awareness and openness, organisations will remain exposed.

If you want to know how well your organisation is embedding these foundations, take our free privacy insights survey. In just a few minutes you will get a score for your current posture and practical pointers for improvement.

Click to start the survey today and see how ready your organisation really is.