Can you be trusted? According to a study conducted by Verizon, maybe not.

Analyzing 42,068 incidents and 1,935 breaches from 84 countries, Verizon discovered that 77 percent of data breaches involved an insider. Employees, not hackers, are the top cause of data breaches in companies. But if you’re imagining your officemates living a secret life as a cybercriminal kingpin, think again.

More than 90 percent of all cyber attacks are committed with information stolen from employees who unwittingly gave away sensitive data (such as access credentials to hackers). It’s employees that are careless—not criminal—that create the majority of vulnerabilities.

So, what can your small business do about it?


OPPORTUNITY: 
 According to a survey conducted by The Alternative Board (TAB), 62 percent of business owners believe it is their responsibility to train employees in security policies and protocols, and yet only 40 percent of respondents say their business is conducting employee training on cyber security issues.

SOLUTION:  In this article, we’ll investigate the reasons for the training gap and show why you need to invest in employee security awareness training to reduce security-related risks at a fraction of the cost: security awareness training costs less than 1 percent of an average breach and reduces damages by $12.50 per data record stolen.

 

41 percent of employees are unfamiliar with two-factor authentication

The reason employees are a top cause of data breaches is because most people lack security awareness.

Security awareness is a measure of an employee’s knowledge, attitude, and judgment about security. Think of it as security common sense. Many of us lack security common sense; this is a problem that clings like static, and is carried from our personal life into our professional life:

A number of people don’t follow password best practices which include: changing passwords regularly, separating personal accounts from work accounts, and always using—when available—two-factor authentication.

Phishing and social engineering account for 79 percent of ransomware attacks

If basic security rules aren’t being consistently followed, how can employees be expected to deal with the deception of cyber goons trying to steal information.

Maybe “goons” undersells the risk. Social engineers and hackers are more like “cyber vampires” draining sensitive information from your small business.

Web-based phishing and social engineering account for 79 percent of ransomware attacks. In fact, cyber security company RSA estimates that a phishing attack occurs every 30 seconds.

Here is an example of a phishing attack provided by phishing.org:

undefinedWould this email sound your alarm bells? (Source: phishing.org)

It’s important to say this: phishing attacks are preventable. Like vampires in fiction, they can only come into your home if you give them permission to enter.

Still, most people don’t have the knowledge to defend themselves or their company:

The majority of consumers (68 percent) say they want companies to provide an extra layer of security—and this needs to happen at work as well. The business, not the employee, must take responsibility for security awareness.

65 percent of SMBs have a password policy but do not strictly enforce it

Over 95 percent of all incidents investigated recognize “human error” as a contributing factor—gleaned from a report authored by IBM.

People are a point of failure. But businesses aren’t doing enough to guide and direct their employees. More than half of SMBs have no visibility into employee password practices and hygiene. In most companies, staff perform their duties without any security supervision.

Even if employees are monitored, a number of businesses lack meaningful security policies to establish best practices and good habits. 65 percent of SMBs have a password policy but do not strictly enforce it.

According to research conducted by the The Alternative Board (TAB), a business consultancy and management company, business owners surveyed say it’s time and resources which prevent them from doing more—such as investing in cyber security awareness training—to protect their business.

60 percent of small businesses that suffer a data breach are out of business in six months

So why does security training matter. We’re going on three decades into the computing age and most of us still can’t avoid using our birthdays as our master passwords. Shouldn’t we just wait until robots—with no concept of birthdays—take over our security responsibilities?

In theory, technology—once it’s ready—might save some of us. But your small business doesn’t have time to wait: by 2021, cybercrime damages are estimated to cost the world $6 trillion annually.

The average cost to your small business of one cybercrime incident is estimated at $1 million. And this doesn’t fully take into account your mangled reputation after customer data is exposed. Customers that don’t trust your brand, abandon your brand.

It’s no wonder that 60 percent of small businesses that suffer a data breach are out of business in six months.

Invest in cyber security awareness training to reduce damages by $12.50 per stolen data record

Cyber security awareness training reduces the threat of security breaches caused by employees and staff-negligence. You should invest in employee security awareness training to reduce security-related risks for your business at a fraction of the cost of the average breach.

OUR RECOMMENDATION: follow these best practices to help you achieve the greatest ROI from your security awareness training:

1. Most employees don’t want to go to cyber security school. Prepare for this and include change management training as key to your program.

2. Use the value argument to build the business case: IBM estimates the cost of a security breach for the average business at $3.62 million dollars, spanning an average of 24,000 records stolen. In response, security awareness training costs less than 1 percent of an average breach—scaled to business size—and reduces damages by $12.50 per data record stolen.

3. Security awareness training needs to be a recurring program and continuous process—not a one-time, easily forgotten event. Host monthly security check-ins to assess personal and organizational improvement goals. In addition, schedule quarterly workshops to encourage compliance with security policies and learn the latest defensive tips.

Learn more about small business cyber security