%20(13).png?width=1200&name=Dean%20Ayres%20(Blog%20Banner)%20(13).png)
Quantifying Human Risk: Beyond Technology, How NHS Organisations Can Rethink Data Security with Dean Ayres
In today’s fast-moving world of AI-generated phishing, spoofed email domains, and compromised accounts, technical tools alone are no longer enough to keep NHS organisations safe.
At M8 Solutions, we are so lucky to work with brilliant data security leaders like Dean Ayres who is the Head of Information Governance and Data Security at East of England Ambulance Service NHS Trust and brings a strategic, human approach to data security.
In our recent conversation with Dean, he shared some powerful insights on insider threats, behavioural analytics, and why he believes every organisation should be measuring one thing above all else: human risk.
Dean’s Approach: From Blast Radius to Behaviour
Dean talks about damage that a user could have if their accounts or devices were compromised and the potential blast radius. He highlights that you must look beyond job titles. Global admins, executive assistants, clinical leads – anyone with broad system access could cause major harm if targeted successfully. “It’s about access, habits, and how likely someone is to fall for a social engineering attempt and trigger an incident. A global admin obviously has a massive blast radius, but so might an executive assistant who has access to a director’s inbox and files.”
But Dean doesn’t only focus on staff roles seen as most risky. He overlays it with human behaviour.
“The real danger often sits in the middle,” he explained. “Not the highest roles, not the most junior staff – but people with a wide span of access and a higher tendency to take risks, be complacent, or act out due to personal factors.”
To manage this, Dean and his team built a scoring system to quantify user risk. Hundreds of staff were graded based on access level, behavioural factors, and digital footprint. That risk system wasn’t just theoretical – it became a practical guide to where their team should focus preventative controls and resources.
When Human Risk Comes from Home
One of the most eye-opening moments in our conversation was when Dean described a real-world case of insider risk that didn’t come from a staff member but from their teenage son.
A browser stealer had infected a home device used by both the staff member and her son. Her NHS email and credentials were saved in the browser. Her son had signed up to a Russian email service for gaming and reused weak passwords. The result? Multiple accounts compromised, with NHS credentials up for sale on the dark web.
“So, the insider threat wasn’t really her...” Dean explained. “It was her son and her shared personal device.”
This case starkly shows why protecting against cyber threats isn't just about written policies and technical controls, the focus must be directed towards understanding people, context, and behaviour analytics.
The Case for Real-Time Breach Monitoring
Dean also highlighted a serious gap in NHS cyber security funding and tooling: real-time breach intelligence. While many commercial tools exist to monitor the dark web for leaked NHS credentials, tight budgets often mean those tools are out of reach.
“I used to be able to see when NHS accounts were for sale online. Now, with no funding, I’m in the dark.”
He argues that breach monitoring should be as standard as Multi Factor Authorisation (MFA)– not just to protect the Trust, but to protect staff. As Dean put it: “If we’re serious about staff wellbeing, we need to protect them from the personal consequences of compromise, not just the organisation.”
Where M8 Solutions Fits In
Our relationship with Dean is grounded in a shared ethos: no fearmongering, no blame culture, just honest conversations and practical action. He believes that resilience needs to be built from the inside out. From championing behavioural analytics to challenging assumptions about insider risk, Dean’s work is helping set a new standard for human-centred data security across the NHS.
At M8 Solutions, we’re proud to support this type of incredible work, whether that’s cyber strategies and security assessments to strengthen your general security posture, or though improving staff awareness and training, behaviour analytics, and identity and access management solutions to address specific areas of human risk.
One Piece of Advice?
We asked Dean: if you could give one piece of advice to other NHS organisations, what would it be?
“Start by understanding what risk each member of staff represents. Quantify human risk. Don’t wait for a breach – know your red, amber and green risk zones now, and build a system that evolves as threats and behaviours change.”
Curious about how to apply this kind of human-layer thinking in your NHS organisation?
Get in touch, we’d love to share what’s working.
