As the retail industry continues to embrace digital transformation, cybersecurity threats have become more complex and frequent. With every transaction, piece of customer data, and digital platform, retail companies expose themselves to a growing number of cyber threats. Yet, one element remains at the heart of most breaches—humans. From falling for phishing scams to making unintentional errors, human vulnerabilities are a leading cause of security incidents.

In fact, according to a recent Verizon report, 68% of breaches involve a non-malicious human element. So, what can retail CISOs do to protect their companies from these risks? The answer lies in effective Human Risk Management (HRM).

What is Human Risk Management (HRM) and why is it Important?

Human risk management focuses on the security behaviours of employees and helps mitigate risks caused by human actions. A proactive HRM strategy goes beyond traditional cybersecurity measures, addressing the “accidental insider”—the well-meaning employee who unintentionally exposes the business to cyber threats.

Forrester defines HRM solutions as: Solutions that manage and reduce cybersecurity risks posed by and to humans through:

• Detecting and measuring human security behaviors and quantifying the human risk.
• Initiating policy and training interventions based on the human risk.
• Educating and enabling the workforce to protect themselves and their organization against cyber-attacks.
• Building a positive security culture.

Consider this: 50% of businesses reported experiencing a cybersecurity breach or attack in the last 12 months according to a Gov.UK survey.

No matter how sophisticated your firewall or anti-virus software may be, it only takes one employee clicking on a fraudulent email to expose your entire system. Social engineering exploits the human tendency to trust seemingly legitimate communications. This makes managing human risk not just an optional layer of protection but a critical component of any retail cybersecurity strategy.

Identifying your insider threats

In a retail environment, employees are juggling various tasks under pressure. Whether they’re handling customer queries, managing stock, or processing payments, the risk of distraction is high. It’s in these moments of divided attention that mistakes happen. From sending sensitive data to the wrong email address to downloading a malware-infected attachment, the accidental actions of employees can have devastating consequences for your organisation. Using a HRM service you can identify those risky behaviours in real-time and target training to address them specifically.

Many retail CISOs tend to focus on protecting their networks from malicious outsiders—hackers and cybercriminals. However, the truth is that the most significant threat often comes from within. Employees, through no fault of their own, can fall victim to well-crafted social engineering attacks. By having a strategy in place to identify and educate their weak points, you can strengthen your team’s resilience against the threats they are most susceptible to.

How nudging and real-time coaching are helping retailers identify insider threats

So, how can retail companies address these risks? This is where nudging and real-time coaching come into play. Gartner predicts that by 2025, 40% of cybersecurity programs will deploy socio-behavioural principles, like nudge techniques, to influence security culture across organisations. Nudging involves delivering timely and relevant prompts that encourage employees to make more secure decisions. For example, if an employee is about to click on a suspicious link, a nudge can prompt them to reconsider their action. This approach not only reduces the chances of human error but also helps employees internalise safe behaviours over time.

In many industries, including retail, you need to find additional ways to educate staff about human risk management outside of traditional security awareness training. Real-time coaching enables you to identify risky behaviours across different departments from finance to logistics. This data can then be used to build a unique learning path for your employees, allowing you to educate at the point of event, but also to create a training plan based on behaviour.

Human Risk Management in the age of AI

The rise of Generative AI (Gen AI) presents a new layer of complexity to human risk management. Retailers are increasingly using AI to improve customer experiences, from chatbots to personalised marketing. However, cybercriminals are also leveraging AI to enhance their attacks, by exploiting back doors in an age of rapid development. The retail industry must be prepared to manage the human risk associated with these technologies, especially as they become more integrated into daily operations.

Crowdstrike have identified examples of how AI is used in social engineering attacks.
AI can easily be used to…

• Identify an ideal target, including both the overall corporate target and a person within the organisation who can serve as a gateway to the IT environment.
• Develop a persona and corresponding online presence to carry out communication with the attack target.
• Develop a realistic and plausible scenario that would generate attention.
• Write personalised messages or create multimedia assets, such as audio recordings or video footage, to engage the target.

This makes human detection and response more critical than ever. Employees need to be able to recognise and respond to AI-driven cyber threats in real-time.

How to defend against evolving cybersecurity threats

Nudging and real-time coaching allows you to put safeguards in place to mitigate risk while you educate staff. With the ability to select system detection rules you can select multiple rules across multiple API connections including but not limited to:

At Saepio, we believe that a comprehensive HRM programme must do more than just provide traditional security awareness training. It must mitigate risk day-to-day. By utilising SecurityCoach, our M-SAT nudging tool through KnowBe4, we add an extra layer of protection for employees.
What does an effective human risk management programme look like? We believe it should:

1. Identify and Evaluate Human Security Behaviours: With the help of sophisticated tools, you can monitor and evaluate employee actions to uncover potential vulnerabilities.
2. Implement Policies and Training Solutions: Customised training programmes and policy updates can target specific weaknesses, equipping staff with the knowledge they need to avoid similar mistakes going forward.
3. Empower Your Workforce Through Education: Enable your employees to spot and react to emerging threats by offering them continuous and relevant training.
4. Cultivate a Security-Focused Culture: A well-rounded Human Risk Management (HRM) programme should prioritise fostering a security-aware culture. Techniques such as behavioural nudging and real-time coaching can help address risky actions immediately, encouraging employees to form safer habits that protect both themselves and the company.

The Retail Industry and the Future of HRM

The retail industry is at a crossroads when it comes to cybersecurity. Companies can no longer rely solely on traditional methods of protection to stay ahead of emerging risks, particularly as AI and social engineering tactics evolve.

By integrating nudging techniques, real-time coaching, and continuous education, retail CISOs can create a more resilient workforce, capable of defending against the most sophisticated cyber threats. Saepio’s managed security awareness training programme (M-SAT) is designed to help businesses address these challenges head-on.

Visit our managed security awareness page to see how our services can help you defend against cyber threats. Our real-time coaching feature addresses risky behaviours as they happen, providing your workforce with immediate feedback and helping prevent future incidents. Let us help you build a positive, security-conscious culture—because in today’s retail landscape, your employees are both your greatest asset and your biggest risk.