Security leaders across European companies are increasingly facing AI-powered attacks that target employees rather than technical systems.
A survey of 200 CISOs in the UK, France, Germany, and Sweden found that a clear majority believe their own management does not fully grasp the risk this poses. The study was commissioned by MetaCompliance, a vendor of human cyber risk management software.
Attacks Target People, Not Just Technology
According to respondents, the focus of cyberattacks is shifting noticeably: instead of exploiting system vulnerabilities, attackers increasingly try to deceive individual employees directly. Among CISOs who rate their organization’s cyber resilience as worse than a year ago, almost half attribute this to increasingly sophisticated AI-powered social engineering methods. Across the full survey, 68 percent now rank their own workforce as the organization’s biggest security weakness.
Specific concerns raised by security leaders include:
- AI making social engineering attacks faster and more effective (over 40 percent)
- Employees entering sensitive data into public AI tools (40 percent)
- Malicious insiders using AI for fraud or data theft (41 percent)
A country comparison also shows that deepfake-based identity fraud is seen as especially threatening in the UK: there, more than one in two CISOs consider this attack type seriously dangerous, the highest share among the four countries surveyed.
Management Support Is Fading
Beyond the growing AI threat, study participants mainly point to eroding support within their own organizations. 79 percent say leadership engagement with security awareness initiatives declines over time. Compounding this, 76 percent struggle to meet differing, sometimes conflicting expectations from various stakeholders regarding human risk metrics. Nearly a quarter also cite cross-departmental alignment as one of their biggest weaknesses, an indication of how difficult it is to enforce a unified security strategy across organizational boundaries.
MetaCompliance CEO James Mackay puts the figures in context: “AI has significantly amplified the risks posed by human error. Attackers have long since moved beyond obvious scams or poorly written phishing emails. Today, they can convincingly impersonate someone’s identity, launch social engineering attacks, and fake communications at scale.” This rapid evolution makes leadership backing more important than ever, Mackay adds: “Human cyber risk is no longer simply an awareness or training issue, it’s a strategic risk for every business. Our research shows that many CISOs are still navigating this challenge largely alone, often without consistent backing from leadership, clear ownership, or a shared understanding of the risks across the business.”
Continuous Risk Management Instead of One-Off Training
The study’s authors argue that security awareness should no longer be treated as a one-time training project but as an ongoing management task. Nearly a quarter of the CISOs surveyed already rank strengthening resilience against AI-powered social engineering among their top priorities for the next twelve months.
“Organizations that treat human cyber risk as an ongoing management discipline, rather than a recurring training event, will be best placed to succeed,” Mackay says. “Employees need support at the exact moment they’re exposed to risk. This means organizations must use behavioral insight, intervene in real time, and provide contextual guidance to their people, empowering them to make better security decisions even as AI-driven attacks become harder to detect.”
(lb)