The cost of having your network breached is significant. Over the past year, ransomware remediation costs more than doubled, from $761,106 to $1.85 million. The average cost of a data breach for small businesses is now $108,000 per incident. 

Those high costs, and some of the intangibles, such as loss of client trust, drive businesses to protect their networks from cyberattacks. This is done through a variety of tactics, such as employee training and:

• Endpoint security
• Managed IT services
• Firewalls
• Anti-malware & antivirus software
• Identity security measures
• And more

These measures are taken to harden the network against threats from ransomware, viruses, business email compromise (BEC), brute force attacks, and many other types of cyberattacks.

But… business owners often fail to address their biggest IT security risk, their employees.

The Risk of Human Error 

That’s right. Human error is one of the major causes of data breaches globally, which means your employees are your biggest cybersecurity threat. Even if they don’t know it.

According to a Stanford University study, approximately 88% of all data breaches are due to employee mistakes. So, if you don’t address human error along with adding other security protections, you’re missing a big part of your cyber hygiene.

How does employee error factor into data breaches? Let’s look at the reasons employees are your biggest cybersecurity threat.

Employees Are Targeted By Cyber Criminals

A vast majority of attackers target individuals working in a company and count on their help to launch an attack.

Now this “help” is usually not given knowingly. The attackers craft convincing phishing emails that trick employees into clicking links to phishing sites or downloading malicious file attachments. The hackers need a legitimate system user to introduce the malware to get past standard system protections. 

Employees cite the following as the top reasons that they accidentally clicked on a phishing email:

• Distracted or busy (45%)
• They thought the email was legitimate (43%)
• The email looked like it came from a senior executive (41%)
• The email looked like it was from a recognizable brand (40%)

Phishing remains the #1 delivery channel for all types of attacks, and phishing targets your employees.

Employees Are Often Afraid to Speak Up If They Made a Security Mistake

Most companies are very serious when it comes to cybersecurity, and this can come across through harsh penalties for employee errors. If people think they are going to get in trouble, then they may not mention that they just clicked on a phishing email by accident.

This makes matters worse because often hackers don’t make themselves known right away. A click on a phishing email can give the criminal entry into your network and they can be planting ransomware sleeper code for months before triggering a visible attack. If you know immediately that a breach occurs, you can take action to mitigate damage.

Unfortunately, if there’s a culture of punishment for security mistakes, you may never get that initial warning about a mistake.

Employees Typically Have Bad Password Habits

People suffer from password overload. That’s a fact. They have tons of personal passwords and work-related passwords that they must juggle daily. Remembering them all isn’t really feasible if you’re also following secure password practices.

A LastPass study found that employees reuse the same password an average of 13 times. 

Some of the poor password habits that employees use, which lead to compromised credentials, include:

• Reusing the same password multiple times
• Using weak and easy-to-guess passwords (e.g., “password1234)
• Storing passwords in non-encrypted files
• Emailing and texting passwords
• Not using multi-factor authentication

How to Overcome Breaches Caused by Human Error

Employee Training

Employee training can make a huge difference when it comes to the risk of human error. Employees often want to do better (no one wants to be the cause of a data breach at work!), but they need to receive ongoing training and reminders of best practices. 

How much can you reduce your risk through an employee cybersecurity awareness training program? Between 45% to 70%! 

Tips on training that can get you those results:

• Train regularly (people tend to forget things as soon as 5-6 months after being trained)
• Use different methods, including on-demand videos, group sessions, and phishing simulations
• Make cybersecurity part of the culture of the organization, so talking about it becomes natural 

Make It Okay for Employees to Tell You About a Mistake

There is a balance between reprimanding repetitive poor cybersecurity and being overly punitive for an honest mistake. If you want employees to report mistaken clicks on phishing emails to you, then you need to make it “okay” for them to report them when they happen.

Have an honest conversation with your team about that balance. Let them know that the sooner you’re aware of a potential accidental click, the faster your IT team/partner can act to mitigate damage.

Bolster Your Team with Cybersecurity Tools

You can help your team reduce human error by giving them backup in the form of cybersecurity tools. These include things like DNS filtering to block malicious sites (even after the link has been clicked), security labeling on emails that originate outside your network, strong anti-malware, and more.

Get Help from Digital Crisis to Reduce Your Overall Cybersecurity Risk

Digital Crisis can help your Houston area business with a holistic cybersecurity strategy that incorporates hardware security, software tools, and employee training.

Contact us today to schedule a consultation. Call 713-965-7200 or reach us online.