Most security budgets go on firewalls, patching and monitoring. But the attacks making headlines right now don’t start with a clever bit of code. They start with a phone call, an email or someone walking through a door they shouldn’t.
If you lead an HR or operations team, your people are being tested far more often than your servers, and it’s worth knowing exactly how that happens. Read on to see how red teams probe the human side of your defences, and what that means for the way you train and protect your staff.
Why People Are the First Target
Attackers go where the effort is lowest. Breaking through a well-configured technical perimeter takes time, skill and luck. Convincing a busy member of staff to reset a password takes a confident voice and a believable story. Given the choice, criminals pick the conversation every time.
Join The European Business Briefing
New subscribers this quarter are entered into a draw to win a Rolex Submariner. Join 40,000+ founders, investors and executives who read EBM every day.
SubscribeThe Marks & Spencer breach is the clearest recent example. Attackers rang the retailer’s outsourced IT helpdesk, run by Tata Consultancy Services, posed as internal staff and walked away with credential resets. No malware, no zero-day exploit. Just a phone call that opened the door to a breach M&S expects to cost it around £300 million in lost operating profit. The technical controls held. The human process around them didn’t.
This gap shows up in the numbers too. The Experis UK CIO Outlook 2026 found that 56% of UK tech leaders (CIOs, CTOs and CISOs) now rank cybersecurity as their top concern, and 84% plan to increase their security budgets. The catch is that most of that spend still flows towards tooling, while the Government’s 2025/26 Cyber Security Breaches Survey shows persistent gaps in basic controls and staff awareness. Leaders know people are the soft spot, but the money still flows towards kit.
What a Red Team Actually Tests
A red team behaves like a real attacker rather than a box-ticking auditor. The whole point is to find the weakest link and prove it can be used, then show you how to close it. That means testing your people and processes alongside your technology, which is where most assessments stop short.
That’s why a proper red teaming engagement looks at far more than open ports. A good team will study how your staff respond to pressure, how your helpdesk verifies callers, and whether someone can talk or walk their way into a restricted area without being challenged. They’re checking the parts of your defence that no piece of software can patch.
The methods they use tend to fall into a few clear buckets:
- Phishing simulations. Fake but convincing emails sent to staff to see who clicks, who enters credentials, and who reports it. The reporting rate often matters more than the click rate.
- Vishing. Voice-based social engineering, where a tester rings an employee or helpdesk and impersonates a colleague, supplier or IT support to extract access or information.
- Physical access testing. Trying to get into the building by tailgating through a door, posing as a contractor, or simply acting like they belong there.
- Pretexting. Building a believable backstory and identity in advance, then using it to make every request seem legitimate.
How Testers Find the Weak Links
Good testers don’t fire off random attempts. They do their homework first, reading your website, LinkedIn profiles and press releases to learn names, job titles and the language your company uses internally. The more they know, the more convincing they become.
From there, they look for the path of least resistance. That might be a new starter who hasn’t had any security training, a helpdesk that resets passwords without strict checks, or a reception desk where nobody questions a person in a high-vis jacket. Once they find that soft spot, they exploit it to show how far an attacker could get.
The findings then turn into something you can act on. You’ll see which teams need training, which processes need tightening, and where a simple verification step would have stopped the whole thing. It’s far better to learn this from a hired professional than from a criminal.
The Door That Code Can’t Close
The takeaway for HR and operational leaders is simple. Your staff are part of your security, whether or not they’ve been trained to be. People who know what a vishing call sounds like, or who feel confident challenging a stranger at the door, become a genuine line of defence instead of an open one.
Test them in a safe setting, train them on what the test reveals, and treat the results as a starting point, not a scorecard. The attackers are already rehearsing their phone calls. It makes sense to rehearse your answers first.
