While most business owners understand the growing problem of cybersecurity failures, many small and midsize enterprises don’t have the resources to hire expert cyber risk teams.
That said, companies must do something to prevent major financial losses from cyber incidents. The good news is it’s doable, because the overwhelming majority of cyber-related losses at small and midsize organizations result from human error.
The statistics vary by survey, but most research indicates well above 50% of cyber incidents involve employees failing to guard against cyber threats. Verizon’s 2022 Data Breach Investigations Report says 82% of breaches it studied involved “the human element.”
Mistakes can lead to:
- The outflow (exfiltration) of data and intellectual property
- Shutdowns of or lockouts from company systems
- Erroneous fund transfers
- Ransom demands
- Business interruptions
- Product contaminations
- Property damage
- Liability claims from business partners harmed by the breach
Despite all the scary statistics, there may be some good news: Training employees to avoid, prevent and respond to cyber breaches is relatively inexpensive to implement.
Here are some actions you can take to address the most common human cyber risks, according to a November 2022 EisnerAmper survey.
Human cyber risk | Action |
False communications from a vendor, such as instructions for payment or system access | Instruct employees to seek confirmation directly from an authorized person and use contact information not provided in the initiating request. |
Scams and dangerous links that come in emails or texts | Train employees not to click on links in unsolicited emails or respond to unexpected emails from unfamiliar entities, no matter how legitimate they look. Instead, instruct them to contact a familiar or verified person and inquire about the legitimacy of the initial outreach. They should also know not to send financial or system access information in response to requests without double-checking the source. |
Lost or stolen devices | Password protect all business devices and install a “bricking” program, which makes devices unusable if lost or stolen. If your company permits the use of personal devices, you will have a wide range of security problems, so consult a cybersecurity specialist. |
Out-of-date software or hardware, which leaves security holes for hackers to exploit | Always install patches and updates that come from the manufacturer in a timely manner. You may lose an hour of productivity, but that’s better than losing access to your data or systems. |
Lack of corporate policies and protocols detailing what is allowed, what constitutes a violation, and how to respond to cyber problems | Ask management to determine how systems and data may be accessed, who should have permissions, what duties employees should have to prevent infiltration of networks and exfiltration of data, what actions staff should take if they make a mistake or notice a problem, and what the consequences will be if you discover violations of protocol. Provide these policies and procedures in writing and have employees sign them. Conduct training and testing periodically to ensure compliance. |
Weaknesses in cloud technology use and open-source systems, such as guest Wi-Fi | Create a corporate policy to secure internet use outside of the office, including home networks and public Wi-Fi, which can be easily hacked. The use of a VPN may help, but your policy should specify Wi-Fi rules. For home-based workers, it may be worth the money to have an IT person adjust routers, printers and other connected devices so manufacturer passwords are replaced and security best practices are observed. Employees may also wish to use apps or other outside software on their company-provided devices. These are extremely unsafe practices since many app providers spy or collect data that users don’t know about. If your company stores data on the cloud or relies on cloud-based software, make sure your contracts specify how security is to be maintained and how failures will be paid for. Cloud breaches and interruptions are increasingly common, and many cyber insurance policies don’t cover these losses. |
Use of corporate equipment or systems by nonemployees | Ideally, do not allow external users on your networks or machines. But if you must, strictly control and monitor use. Train employees not to share passwords or access codes. Make sure all users are credentialed and their activities are documented. If you wish to host guest internet users, such as in a waiting room, set up a guest Wi-Fi that is siloed away from the company network. Remember that thumb drives and other methods of invading or downloading are hard to detect without 24/7 monitoring services, making unsupervised use of hardware or systems by external users a risky proposition. |
This list is enough to get you started on reducing cyber risks resulting from human error, but there is one more issue to consider: malicious internal staff actions, such as downloading restricted information.
Sometimes employees decide to intentionally harm or steal from their companies. Your staff training should address such behaviors. Seek a cybersecurity education vendor that includes a lesson on intentional staff violations, what to look for, and what to do if you suspect employee fraud. Though continuous monitoring of system activity is the best way to prevent internally generated harm, staff awareness and a protocol for reporting potential incidents are good first steps.
Your insurance agent can give you more advice on cyber risk management as well as information on cyber insurance. Cyber insurance can help you recover should staff error lead to liability claims or internal losses.