What’s Next for Human Risk? We Asked Our CTO

The future of cybersecurity will be defined by people, not just technology. As threats evolve, human risk — the choices, habits, and culture within organisations — will shape resilience more than ever.

In this Q&A, Andy Fielder looks ahead at how leaders can anticipate tomorrow’s challenges and build a security mindset that lasts.

What do you see as the most significant cyber threats organisations are dealing with today?

The most significant threats haven’t necessarily changed, but they’ve evolved to become more sophisticated and harder to defend against. Ransomware remains a major concern today, but what’s striking is how professionalised it’s become. These groups now operate like legitimate SaaS businesses complete with tech teams, support desks, and structured operations. That level of organisation has made it easier for more people to get involved, and the financial incentive is enormous. Some estimates suggest cybercrime revenues, across all types, rival the size of Russia’s economy. With that kind of return, it’s no surprise that organised crime continues to invest heavily in this space.

Credential theft is another major threat. Most organisations have reasonable technical controls in place to protect against common attacks, so attackers are increasingly targeting user credentials. By compromising non-business platforms where people reuse passwords, they can harvest login details and use bots to validate which ones work. These credentials are often stored and used later in targeted attacks. It’s a methodical approach that bypasses traditional defences and is highly effective.

The third area of concern is supplier compromise. Businesses can no longer think of themselves as isolated entities. Attackers understand that suppliers often have weaker security postures, and they exploit that trust gap. We’ve seen high-profile cases in retail and automotive where breaches have occurred through a supplier, not the company. Once inside, attackers pivot to the primary target. It’s a clear reminder that cybersecurity must extend beyond the organisation to its entire ecosystem.

How have these threats evolved over the past few years — and what’s driving that change?

The biggest shift has been the professionalisation of cybercrime. It used to be something people did for fun — a teenager in their bedroom trying to prove they could break in. That still happens, but what’s really changed is the rise of structured, organised operations. These groups now function like proper businesses, with teams, infrastructure, and objectives. That level of organisation has made attacks more scalable, more targeted, and far more dangerous.

State-led activity has also ramped up significantly. Cyber warfare has become a recognised tool for economic and geopolitical disruption — a way for nations to influence or cause damage without physical conflict. The threat this poses is very different now. It’s strategic, well-funded, and often aimed at undermining national infrastructure or major businesses.

At the same time, better technical controls have forced attackers to shift their tactics. It’s harder to break through firewalls and endpoint protections, so the focus has moved to human behaviour. Social engineering has become one of the easiest and most effective ways in. If an attacker can trick someone into handing over credentials or gather enough personal information to impersonate them, they can bypass technical safeguards. Once they’re in, they look like a legitimate user, and detection only occurs when suspicious activity begins. This shift from systems to people is one of the most significant evolutions we’ve seen.

In light of these changes, how have organisations had to rethink their approach to cyber defence?

There’s now a real emphasis on the supply chain. Businesses are recognising that they’re only as secure as the vendors and partners they rely on. That means understanding who those suppliers are, how they manage their own security, and holding them accountable. Supplier compromise is one of the most likely entry points for an attack today, and that shift has forced companies to widen their defensive lens beyond their own walls.

At the same time, there’s been a mindset shift around technical controls. It used to be that if you had solid firewalls, a good Security Operations Centre (SOC), and the right tools in place, you felt reasonably confident. But attackers have adapted. They’re going after credentials, which means they can bypass all those layers of protection. Most breaches now stem from human error — someone clicking the wrong link, sharing the wrong detail, or reusing a password.

Unlike technical controls, which behave consistently, people are unpredictable. We all have different risk appetites and habits, and that variability is hard to manage. This has led to a broader recognition that cybersecurity isn’t just a technical issue anymore — it’s a human one. Security is no longer the exclusive responsibility of IT; it’s everyone’s job. This shift from tech-first to people-first is one of the most important changes we’ve seen.

Looking ahead 3–5 years, which emerging threats do you believe will pose the greatest challenge?

AI is already changing the game on both sides. Defensively, we can use AI to identify patterns, detect abnormal behaviours, and cut through noise to highlight real threats. But criminals are using the same technology to make their attacks more convincing and effective.

Take phishing. It used to be easy to spot because of poor spelling and grammar. Now, AI can create messages that look completely legitimate, making them far harder to identify. That will only get more sophisticated. It’s becoming more important for people to understand how these threats appear so they don’t get caught.

Looking further ahead (5 to 15 years), quantum computing will be a game-changer. It will break the encryption methods that currently protect banking, cryptocurrencies, and more. It’s a daunting prospect because much of what we rely on for digital trust could be compromised. Although still some way off, it’s a threat we’ll eventually have to face.

PQC (Post-Quantum Cryptography) standards are emerging that will help protect in a quantum world. Companies need to start understanding their cryptography footprint and planning their transition to PQC to be ready.

What practical steps can organisations take to future-proof themselves against evolving risks?

The key is resilience — assuming an incident will happen and preparing accordingly. That means having robust detection tools like SIEM platforms that aggregate logs across systems and use AI plus human analysis to spot threats early.

It’s also about testing disaster recovery and incident response plans so everyone knows their role. How will you isolate affected systems? Who communicates with stakeholders? Do you have forensic specialists on call?

A well-prepared organisation can detect, contain, and recover quickly — and communicate transparently. This builds trust, because customers understand that no one is immune to cyberattacks.

Another key principle is “shift left,” which means embedding security from the start of product design or system development rather than bolting it on later. Building securely by design is far more effective.

Are there any recent or upcoming regulations that could reshape how organisations manage cybersecurity risk?

Yes, particularly from the EU. The Digital Operational Resilience Act (DORA) is having a significant impact. It places strong emphasis on supplier risk management — holding third parties accountable and ensuring organisations understand their full supply chain security posture.

The EU Cyber Resilience Act (CRA) focuses on software and IoT devices, ensuring digital products are secure by design throughout their lifecycle. It brings major penalties for noncompliance — €15 million or 2.5% of global turnover. This is likely to apply from 2027, so SaaS providers need to start preparing now.

In what ways is artificial intelligence transforming the landscape of risk management?

AI is transforming risk management both defensively and offensively.

On the defensive side, it analyses the vast amount of data our systems generate — detecting anomalies, highlighting risks, and automating triage so human analysts can focus on containment.

On the offensive side, criminals use AI to test systems, generate deepfakes, and run sophisticated phishing, smishing, and social engineering campaigns. That’s why education is essential. People must learn how realistic these threats can be, experience simulations, and verify sources rather than trust what they see online. Awareness and validation are crucial.

Could automation ever fully replace human judgement in responding to cyber incidents?

No. Automation accelerates detection and surfaces the right information, but human judgment is essential.

Every organisation has different risk appetites and contexts. What’s critical for a bank may not be for a retailer. Automation supports decision-making, but it can’t replicate the nuanced understanding humans bring.

The best approach combines automation and human insight — one cannot replace the other.

How can organisations better empower their workforce to be the first line of defence?

It starts with culture. Security must be everyone’s responsibility, not just that of a specific team. When employees feel invested in protecting the organisation and themselves, the whole posture improves.

Education and the right tools are vital, but culture drives behaviour. Moving away from punitive approaches and instead rewarding good security habits is far more effective. You don’t want a culture of fear — you want shared responsibility and awareness.

Ultimately, empowering people to protect the organisation also empowers them to protect themselves in their personal lives.

Cyber risks don’t stand still. Neither should you. Explore more on the MetaCompliance blog.