A recent global survey conducted by Marsh reveals that cyber-related challenges have emerged as the leading risks concerning people in organizations, according to their 2026 People Risks report. This comprehensive study is based on interviews with over 4,500 human resources and risk management professionals across 26 markets worldwide, highlighting the paramount importance of cybersecurity awareness within corporate frameworks.
Technological change and disruption were identified as the most pressing risks noted in the top ten concerns, with “cyber-threat literacy” taking precedence as the foremost risk factor. Closely following this, the report emphasizes the significance of skill shortages in fields like cybersecurity and artificial intelligence, ranking it at number three. Additionally, issues such as "mindset barriers to AI adoption" surfaced in the sixth position, which encompasses the limited knowledge regarding both the risks associated with AI and the necessary mitigation strategies, as well as the failure of the workforce to comply with existing AI regulations and policies.
In another significant finding, the survey pinpointed the mishandling of data and intellectual property as the seventh most critical risk. This call to attention underlines the urgent need for organizations to adopt stringent data governance practices and enhance their information protection strategies. Marsh warns that these interconnected factors could collectively elevate the likelihood of cyber-attacks and data breaches, thereby diminishing a company’s competitive edge and tarnishing its reputation and public trust.
The challenges stemming from insufficient security awareness among employees continue to resonate with organizations globally. A prime example of the escalating concern is the release of new guidelines by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) earlier in January. These guidelines are intended to assist security teams in effectively mitigating insider risks, thereby creating a more robust defense against potential cyber threats.
Ed Ventham, director of broking at UK cyber-insurance specialist Assured, offers a critical perspective in response to the findings of the Marsh report. He contends that while the focus on cyber-threat literacy is valid, it obscures a more significant issue concerning the response to cyber incidents when they occur. “The real issue isn’t just whether people understand cyber risk; it’s how things play out when something goes wrong,” he stated in an interview with Infosecurity. According to Ventham, the material impact of incidents increasingly stems from failures in technology performance—systems not operating as expected or platforms becoming unresponsive. Consequently, this can lead to business interruptions, operational disruptions, and ultimately, substantial economic losses.
Business leaders are advised to shift their focus more toward mitigating the repercussions of cyber-related incidents, Ventham pointed out. “The risk isn’t just incidents occurring. It’s a lack of preparation for when they do, and a lack of understanding or forethought about how quickly they translate into lost revenue, contractual exposure, and balance sheet impact. That’s where boards need to be focusing,” he emphasized.
The Marsh report also posits that effectively managing people-shaped risks can become a significant competitive advantage for organizations. A striking 40% of the respondents who implement beneficial practices reported increases in workforce productivity and efficiency. Additionally, 36% indicated accelerated progress on strategic initiatives, including AI adoption. Hervé Balzano, president of health and benefits at Mercer, underscores this notion by stating, "In 2026, resilience depends on how well organizations invest in their people: building the right skills, supporting health and financial security, and redesigning work so humans and technology can perform at their best together."
To combat the risks associated with human error, the Marsh report provides a series of recommendations aimed at bolstering organizational resilience. These include reframing cyber risk perspectives to encompass broader vulnerabilities, such as those linked to operational technology, human resources and benefits systems, as well as third-party services. Identifying potential exposures through proactive cyber-risk planning is crucial, along with recruiting talent equipped with strong cybersecurity skills. Establishing a cyber-centric culture is also imperative, where security concerns can be addressed by all staff members, and everyone understands their specific responsibilities.
Additionally, reducing factors that contribute to employee stress and fatigue is essential, as these are often the precursors to compromised vigilance against cyber threats. Finally, ensuring human oversight of critical systems, supported by robust governance and insurance coverage, remains a critical component of an effective overall strategy. By heeding these recommendations, organizations can build a resilient framework capable of navigating the challenges posed by today’s rapidly evolving cyber landscape.