Despite the majority of organisations already using AI, 85% of British decision makers say ‘improvement is needed’ to ensure AI tools/agents operate within the organisation’s security policies and approved risk limits
KnowBe4, the global leader in digital workforce security, securing both AI agents and humans, has revealed the UK-specific findings of its latest research report: From Agentic Risk to Human Wins. The research found that UK organisations are increasingly concerned about employees using unapproved software and AI tools, with 58% of decision makers citing it as their top human-related cyber risk. The concern is well founded: 55% of employees admit to using unapproved tools, while 1 in 10 knowingly entered sensitive information into AI platforms despite understanding the risks.
Also Read: CIO Influence Interview with Hugo Dozois-Caouette, CTO and Co-founder at MaintainX
The research features insights from 80 decision makers and 300 employees in the UK. Respondents represent organisations with 250 or more employees and span both private and public sectors among a wide range of industries such as information technology, healthcare, consumer services and others.
Confidence Deficit
Employees are consistently less confident in their ability to identify cyber threats than cyber decision makers think they are. The deficit is particularly pronounced for deepfake video or audio impersonation, which 81% of decision makers believe employees could identify, compared with only 66% of employees themselves.
Both decision makers and employees are most confident in their ability to spot phishing emails (98% of decision makers are confident that their employees could identify a phishing email, compared to 95% of employees themselves). In the UK, the top human-related cyber risk indicators that organisations measure most frequently is phishing reporting rates (44%), which perhaps shows why awareness around phishing for users is so prevalent for employees.
Traditional threats still cause concern for employees
In the UK, according to employees, the top cause of human-related cyber risk in their organisation is phishing or impersonation emails (56%). Only 40% of decision makers noted that this is a main cause, ranking third below sensitive data shared with AI tools (46%) and AI tools/agents taking actions without human oversight (43%).
Decision makers seem to be more concerned about emerging threats, like AI usage, yet only 16% of decision makers say they’re currently effective in managing the safe use of AI tools and AI agents.
AI Poses Growing Concern for British Decision Makers
Almost half (49%) of decision makers said that managing the safe use of AI tools and AI agents is one of their top concerns. In fact, 46% of decision makers said they have specific targets for improving the safe use of AI agents in day-to-day workflows over the next 12 months.
This is critical, as almost one in five (19%) of decision makers said that AI tools/AI agents take actions autonomously in multiple workflows with limited human oversight. Of those respondents who said their organisation uses AI tools/agents in workflows today, 85% say ‘improvement is needed’ to ensure AI tools/agents operate within the organisation’s security policies and approved risk limits.
High Workloads and Pressure Causes Cyber Risk
Another of the biggest perceived threats to British organisations in the next 12 months is high workloads and fatigue, with 38% of decision makers noting that high workloads or time pressures are likely to contribute to cyber related mistakes made by employees. This rise in pressure coincides with rising expectations to embrace and use AI as a productivity tool.
Nearly half of employees (47%) acknowledged that time pressure or distraction can lead to security mistakes even when they know the safe action to take. Whereas 93% of decision makers said that employees often know the right thing to do when facing cyber threats but may act differently under pressure. The findings suggest that security failures are less about knowledge gaps and more about behavioural responses under pressure, with the recognition that stress and distraction often override good security judgement.
Regulations and Organisational Guardrails
When it comes to existing regulations, 84% say that regulatory reporting requirements are the primary driver of how quickly cybersecurity incidents are escalated and reported within their organisation. Additionally, 85% of decision makers say that the Cyber Security and Resilience Bill will play a significant role in how they manage human-related cyber risk. This is highlighted by the fact that 39% of decision makers say that risks from third-party organisations/suppliers is one of the biggest drivers of human-related cyber risk within their organisation. The supply chain is one of the biggest focuses of the upcoming bill.
“Undeniably, AI tools and agents are reshaping the workplace, but organisations can’t afford to overlook the human element of cybersecurity,” said Javvad Malik, lead CISO advisor at KnowBe4. “Our research shows that while UK businesses are embracing AI to drive productivity, many employees are still under pressure, using unapproved tools and regularly facing (and fearing) sophisticated threats such as deepfakes and phishing. Building a strong security culture, especially one that prioritises education, behavioural support and safe AI adoption, will be critical to reducing human-related cyber risk in the years ahead.”
Catch more CIO Insights: What Does “Job-Ready” Really Mean in IT and Cybersecurity?
[To share your insights with us, please write to psen@itechseries.com ]
