The cost of having your network breached is significant. Over the past year, ransomware remediation costs more than doubled, from $761,106 to $1.85 million. The average cost of a data breach for small businesses is now $108,000 per incident.
Those high costs, and some of the intangibles, such as loss of client trust, drive businesses to protect their networks from cyberattacks. This is done through a variety of tactics, such as employee training and:
These measures are taken to harden the network against threats from ransomware, viruses, business email compromise (BEC), brute force attacks, and many other types of cyberattacks.
But… business owners often fail to address their biggest IT security risk, their employees.
That’s right. Human error is one of the major causes of data breaches globally, which means your employees are your biggest cybersecurity threat. Even if they don’t know it.
According to a Stanford University study, approximately 88% of all data breaches are due to employee mistakes. So, if you don’t address human error along with adding other security protections, you’re missing a big part of your cyber hygiene.
How does employee error factor into data breaches? Let’s look at the reasons employees are your biggest cybersecurity threat.
A vast majority of attackers target individuals working in a company and count on their help to launch an attack.
Now this “help” is usually not given knowingly. The attackers craft convincing phishing emails that trick employees into clicking links to phishing sites or downloading malicious file attachments. The hackers need a legitimate system user to introduce the malware to get past standard system protections.
Employees cite the following as the top reasons that they accidentally clicked on a phishing email:
Phishing remains the #1 delivery channel for all types of attacks, and phishing targets your employees.
Most companies are very serious when it comes to cybersecurity, and this can come across through harsh penalties for employee errors. If people think they are going to get in trouble, then they may not mention that they just clicked on a phishing email by accident.
This makes matters worse because often hackers don’t make themselves known right away. A click on a phishing email can give the criminal entry into your network and they can be planting ransomware sleeper code for months before triggering a visible attack. If you know immediately that a breach occurs, you can take action to mitigate damage.
Unfortunately, if there’s a culture of punishment for security mistakes, you may never get that initial warning about a mistake.
People suffer from password overload. That’s a fact. They have tons of personal passwords and work-related passwords that they must juggle daily. Remembering them all isn’t really feasible if you’re also following secure password practices.
A LastPass study found that employees reuse the same password an average of 13 times.
Some of the poor password habits that employees use, which lead to compromised credentials, include:
Employee training can make a huge difference when it comes to the risk of human error. Employees often want to do better (no one wants to be the cause of a data breach at work!), but they need to receive ongoing training and reminders of best practices.
How much can you reduce your risk through an employee cybersecurity awareness training program? Between 45% to 70%!
Tips on training that can get you those results:
There is a balance between reprimanding repetitive poor cybersecurity and being overly punitive for an honest mistake. If you want employees to report mistaken clicks on phishing emails to you, then you need to make it “okay” for them to report them when they happen.
Have an honest conversation with your team about that balance. Let them know that the sooner you’re aware of a potential accidental click, the faster your IT team/partner can act to mitigate damage.
You can help your team reduce human error by giving them backup in the form of cybersecurity tools. These include things like DNS filtering to block malicious sites (even after the link has been clicked), security labeling on emails that originate outside your network, strong anti-malware, and more.
Digital Crisis can help your Houston area business with a holistic cybersecurity strategy that incorporates hardware security, software tools, and employee training.
Contact us today to schedule a consultation. Call 713-965-7200 or reach us online.