What’s the Biggest Cybersecurity Threat? Employees.

What’s the Biggest Cybersecurity Threat? Employees.

The majority of cybersecurity incidents can be attributed to employee error, according to a March 2015 CompTIA study.   Risky employee behavior and inadequate cybersecurity training by employers are largely to blame. With cybercrime on the rise and the cost of a breach averaging $38,000 for a small business, workforce education is a wise investment.

A new study commissioned by CompTIA examined employee behavior related to using technology in and outside of the workplace, and sheds light on where security gaps might occur.   Consider these statistics gleaned from a survey of 1,200 full-time American workers:

  • 94% connect their laptop or work phone to public Wi-Fi networks
  • 69% of that group handle work-related data while they are on public networks
  • 63% use their company-issued mobile device for personal activity
  • 37% change their passwords only annually or sporadically

The study focused a significant amount of attention on the prevalent use of USB devices to store and share information, despite the risks involved.  Cybercriminals actually create viruses and worms targeted at these portable, plug-in devices. Of the workers surveyed, 58% said they use USB devices. Some even use shared devices and admit that they would plug in a USB stick that they found.

It’s not that employees aren’t technologically savvy or aware of risk, but they seem to have a false sense of security.  A bright spot in the study reveals good employee habits around updating software and using antivirus protection.  Still, the bad habits leave the door open to breaches.

This all demonstrates how important cybersecurity training is for employees, yet 45% of the workers polled said they don’t receive any company training. Employers would be wise to invest more time and resources in educating their workers.   (See blog: Cybercrime:  The  Event That Could Shut Down Your Business in 6 Months.) Those who do provide training use a variety of methods:  online training (32%), group workshops (26%), paper materials (15%), and one-on-one instruction (14.5%).    More employers need to find the format that suits their organization and help their employees prevent rather than facilitate a cyberattack.