Did You Know That Half of Data Breaches Are Caused by Employees? Here's What You Can Do About It

Table of Contents

Even when companies invest in securing their data and networks, they often make one mistake.

They forget to train their users.

Half of data breaches are caused by employees

Sure, everyone in a company receives instructions to create a strong password, not to log-in to public WiFi while accessing confidential information, and not to click on anything suspicious in email.

Then they're turned loose to work.

That's not really training.

  • When's the last time you changed your password – and do you even know what a strong password is?
  • Do you know why accessing public WiFi can endanger your network?
  • Have you ever had a training session about how to identify “anything suspicious” in an email?

If you answered “no” to those questions, you're making the same mistake. Here's how you can do better.

Prevent data breaches by training employees to minimize human error

Why Is User Training for Security Important?

How's this for an answer?

Research from IBM shows that roughly half of data breaches are caused by employees. A small portion of these are malicious – deliberate theft or a disgruntled employee sticking it to their boss. Mostly it's because people are clueless about information security. Forrester research shows a similar story, with 46% of data breaches from internal issues – malicious intent at 46% and accident at 42%.

We'll focus on how you can avoid those accidents from happening.

It doesn't matter how good your security plan and infrastructure is when all it takes is for one employee to click on a malware link in a phishing email and – BAM! – ransomware just got into your network (though you have a solid data backup plan, so that's not a major problem for you – read more).

FREE eBOOK! 6 Cybersecurity Trends Every SMB Must Know. Get It Now >>

Regular – ONGOING – training can help alleviate this problem. Notice I said “alleviate” as human error is something we can't do away with! Here are six steps you can take to keep those human errors to a minimum:

  1. Create a security policy
  2. Keep it updated as new technology and apps come into use
  3. Ensure everyone in the office acknowledges that they understand the security policy by having them sign a statement
  4. Provide tips and advice on a regular basis
  5. Remind everyone throughout the year that cyber security is important
  6. Provide periodic training on key topics throughout the year – passwords, how to spot a phishing email, how to secure your mobile device, etc.

Training is effective. Research from Wombat Security and Aberdeen Research found that “an investment in user awareness and training effectively changes behavior and quantifiably reduces security-related risks by 45% to 70%.”

Remember that awareness isn't training – there's a gap between telling someone security is important and showing them how to, for example, spot a phishing email. So while it's important to tell everyone that you want to have a security culture, you also need to devote time to training so that everyone has the skills and knowledge to create that culture of security.

Don't Forget Physical Security

While you focus on cybersecurity, don't forget to physically secure your information. A few quick tips to keep in mind:

  • Restrict access to your server room
  • Don't let deliverymen wander your office unaccompanied
  • Have employees keep keys or passes secure
  • Lock drawers, file cabinets, and rooms where you keep sensitive information.
  • Don't write passwords on a Post-it note and put them on your monitor or a bulletin/whiteboard (especially if you video conference regularly with that bulletin board or whiteboard in the background).
  • Secure your laptop, phone, and other devices in public by keeping them near year and don't leave them in a locked car if you can help it.

Explain why security is important to employees, don't just tell them what to do

Explain “Why”

One last note on security, training that explains the reasons for the security steps that need to be taken is more effective than a “just do it or else” approach.

A research paper, Technology Use: Conception and Operational Definitions, showed that “mindful” teaching worked better than “directive” training. Everyone is familiar with directive training, you sit in a room and someone explains what you should and shouldn't do. In this case, how to spot phishing emails using some key characteristics of those emails.

The “mindful” teaching shared how to spot a phishing email, but also why it was important not to click on them (harmful viruses, ransomware, etc.). The people in this group didn't recognize 100% of phishing emails, but were less likely to fall victim to an email scam.

For your office, this means sharing the dangers and risks with employees of the negative effects of a security breach on the business (and, in the worst case scenario, on their jobs).

Security is a strategy supported by information technology. It also should be part of your business culture.

Train regularly and stay safe.

It's past time for you to take security seriously. Are you ready to focus on securing our vital information, but not sure where to start? Our IT pros are ready to help. Contact us today to schedule a free IT assessment.

Categories: Security, Office Hacks, Managed Services

blogs related to this

Can Your Business Recover Data after a Ransomware Attack?

Can Your Business Recover Data after a Ransomware Attack?

In a highly digitized world, businesses face an increasingly sophisticated range of cybersecurity threats. As such, it's safe to say that ransomware...

What is Threat Intelligence Sharing?

What is Threat Intelligence Sharing?

The world is rife with cybercrime. Enterprises constantly battle an evolving array of threat actors to protect massive digital vaults of sensitive...

Optimizing Your Print Environment with a Professional Print Assessment and Analysis

Optimizing Your Print Environment with a Professional Print Assessment and Analysis

How many pages does your company print each week? What are your current print costs? What's the total cost of ownership? Are your reactive processes...

What Are the Costs of a Ransomware Attack on Your Business?

What Are the Costs of a Ransomware Attack on Your Business?

In today's hyper-connected world, cybersecurity is critical for business relevance. In the current threat landscape, cybercrime is prevalent, and...

How to Train Employees to Avoid Malware & Ransomware Attacks?

How to Train Employees to Avoid Malware & Ransomware Attacks?

A cyberattack can have devastating consequences. Large corporations or even individuals can experience far-reaching consequences and be hit with...

What is Cloud SIEM?

What is Cloud SIEM?

With the rapidly rising adoption of cloud technologies and the rise in cyber threats, it has become crucial for organizations to secure their cloud...

DNS Hijacking: What it is and How to Protect Your Business

DNS Hijacking: What it is and How to Protect Your Business

A Domain Name System (DNS) is essential to all companies that depend on the internet to generate sales—it is a crucial element to the performance and...