Can you be trusted? According to a study conducted by Verizon, maybe not.
Analyzing 42,068 incidents and 1,935 breaches from 84 countries, Verizon discovered that 77 percent of data breaches involved an insider. Employees, not hackers, are the top cause of data breaches in companies. But if you’re imagining your officemates living a secret life as a cybercriminal kingpin, think again.
More than 90 percent of all cyber attacks are committed with information stolen from employees who unwittingly gave away sensitive data (such as access credentials to hackers). It’s employees that are careless—not criminal—that create the majority of vulnerabilities.
So, what can your small business do about it?
OPPORTUNITY: According to a survey conducted by The Alternative Board (TAB), 62 percent of business owners believe it is their responsibility to train employees in security policies and protocols, and yet only 40 percent of respondents say their business is conducting employee training on cyber security issues.
SOLUTION: In this article, we’ll investigate the reasons for the training gap and show why you need to invest in employee security awareness training to reduce security-related risks at a fraction of the cost: security awareness training costs less than 1 percent of an average breach and reduces damages by $12.50 per data record stolen.
Here’s what we’ll cover:
Why are employees a top cause of data breaches?
Why don’t employees get the training they need?
How much do security breaches caused by employees cost small businesses?
Invest in cyber security awareness training to reduce damages by $12.50 per stolen data record
Learn more about small business cyber security
The reason employees are a top cause of data breaches is because most people lack security awareness.
- 47 percent of people are using passwords that are at least 5 years old.
- 40 percent of employees use their work email for personal matters.
- 41 percent of employees are unfamiliar with two-factor authentication.
A number of people don’t follow password best practices which include: changing passwords regularly, separating personal accounts from work accounts, and always using—when available—two-factor authentication.
Phishing and social engineering account for 79 percent of ransomware attacks
If basic security rules aren’t being consistently followed, how can employees be expected to deal with the deception of cyber goons trying to steal information.
Maybe “goons” undersells the risk. Social engineers and hackers are more like “cyber vampires” draining sensitive information from your small business.
Here is an example of a phishing attack provided by phishing.org:
Would this email sound your alarm bells? (Source: phishing.org)
It’s important to say this: phishing attacks are preventable. Like vampires in fiction, they can only come into your home if you give them permission to enter.
Still, most people don’t have the knowledge to defend themselves or their company:
- 97 percent of people around the globe cannot identify a phishing email.
- On average, users click one in every 25 malicious messages.
The majority of consumers (68 percent) say they want companies to provide an extra layer of security—and this needs to happen at work as well. The business, not the employee, must take responsibility for security awareness.
Over 95 percent of all incidents investigated recognize “human error” as a contributing factor—gleaned from a report authored by IBM.
People are a point of failure. But businesses aren’t doing enough to guide and direct their employees. More than half of SMBs have no visibility into employee password practices and hygiene. In most companies, staff perform their duties without any security supervision.
Even if employees are monitored, a number of businesses lack meaningful security policies to establish best practices and good habits. 65 percent of SMBs have a password policy but do not strictly enforce it.
According to research conducted by the The Alternative Board (TAB), a business consultancy and management company, business owners surveyed say it’s time and resources which prevent them from doing more—such as investing in cyber security awareness training—to protect their business.
So why does security training matter. We’re going on three decades into the computing age and most of us still can’t avoid using our birthdays as our master passwords. Shouldn’t we just wait until robots—with no concept of birthdays—take over our security responsibilities?
In theory, technology—once it’s ready—might save some of us. But your small business doesn’t have time to wait: by 2021, cybercrime damages are estimated to cost the world $6 trillion annually.
The average cost to your small business of one cybercrime incident is estimated at $1 million. And this doesn’t fully take into account your mangled reputation after customer data is exposed. Customers that don’t trust your brand, abandon your brand.
Cyber security awareness training reduces the threat of security breaches caused by employees and staff-negligence. You should invest in employee security awareness training to reduce security-related risks for your business at a fraction of the cost of the average breach.
OUR RECOMMENDATION: follow these best practices to help you achieve the greatest ROI from your security awareness training:
1. Most employees don’t want to go to cyber security school. Prepare for this and include change management training as key to your program.
2. Use the value argument to build the business case: IBM estimates the cost of a security breach for the average business at $3.62 million dollars, spanning an average of 24,000 records stolen. In response, security awareness training costs less than 1 percent of an average breach—scaled to business size—and reduces damages by $12.50 per data record stolen.
3. Security awareness training needs to be a recurring program and continuous process—not a one-time, easily forgotten event. Host monthly security check-ins to assess personal and organizational improvement goals. In addition, schedule quarterly workshops to encourage compliance with security policies and learn the latest defensive tips.