The risk posed by cybercrime to businesses has never been greater. As organisations increasingly digitise their operations, they face a growing array of cyber threats. While sophisticated hacking tools and malware play a role in cyber breaches, human error remains the leading cause, accounting for 82% of all breaches, according to Verizon’s 2022 Data Breach Investigations Report. Below we consider why human error is the main cause of cyber security breaches and the steps organisations can take to mitigate this risk.
Cybercrime – the world’s 3rd largest economy
Cybercrime is now considered a global “industry,” valued at approximately $8 trillion in 2023, making it the third-largest “economy” in the world, following the US and China. Projections suggest this figure will rise to $10.5 trillion by 2025, highlighting the urgency of addressing cybersecurity vulnerabilities.
SMEs are at the greatest risk
A Small to Medium-sized Enterprise (SME) is typically defined as emplying fewer than 250 people with an annual revenue below €50 million. SMEs represent roughly 90% of all businesses globally and contribute around 50% of global GDP. Yet, despite their relatively low revenue, SMEs are a target for cybercrime. Also, studies show that 60% of SMEs go out of business within six months of experiencing a cyber breach. Limited resources, poor training, lack of knowledge and insufficient cybersecurity measures make them attractive targets for hackers.
Reasons why human error accounts for the majority of cybersecurity breaches
Hackers often exploit human vulnerabilities rather than relying on advanced technology to bypass security systems. Here’s how human error contributes to most cybersecurity breaches:
1. Weak passwords
- Weak or reused passwords are a common security flaw. People often choose simple passwords or reuse the same ones across multiple accounts, making it easier for hackers to gain unauthorised access.
- Example: A survey by NordPass revealed that “password” and “123456” are still among the most used passwords globally. Once breached, these credentials can lead to access across multiple systems.
2. Phishing attacks
- Phishing remains one of the most prevalent forms of cyberattacks. Hackers trick employees into revealing sensitive information, such as login credentials, by posing as trusted entities.
- Example: A realistic-looking email from a “bank” or “IT department” might prompt a user to click a malicious link, granting the attacker access to critical systems. Phishing has become even more problematic since hackers have started using AI in cybercrime to automate these types of attack.
3. Using personal accounts at work
- Employees often use personal email or cloud storage accounts for work tasks. These accounts are typically less secure than corporate accounts, creating vulnerabilities.
- Risk: Sensitive work data could be leaked or accessed by unauthorised individuals if these accounts are compromised.
4. Using work accounts on personal devices
- Remote work has blurred the line between personal and professional device use. Employees accessing work accounts on personal devices often neglect basic security practices, such as using antivirus software.
- Risk: Personal devices may lack corporate security measures, exposing work accounts to malware or hacking attempts.
5. Bring your own device (BYOD) policies
- While BYOD policies can boost flexibility and productivity, they also introduce security risks. Employees’ personal devices may not meet the organisation’s security standards.
- Example: A compromised smartphone used for work emails could serve as a gateway for hackers into the company’s network.
6. Failure to recognise social engineering tactics
- Social engineering involves manipulating individuals into divulging confidential information. This tactic preys on human psychology rather than technological vulnerabilities.
- Example: A hacker might pose as a colleague needing urgent access to a shared file, convincing an employee to share sensitive information.
7. Insufficient staff training
- A lack of cybersecurity training leaves employees unaware of best practices, making them more likely to fall victim to attacks.
- Example: Employees might fail to identify phishing emails, click on suspicious links or use unsecured networks without realising the risks.
8. Poor handling of sensitive data
- Employees sometimes mishandle sensitive data, such as sharing confidential files over insecure channels or failing to encrypt data properly.
- Risk: Mismanaged data can fall into the wrong hands, leading to breaches and reputational damage.
9. Failure to update software and systems
- Neglecting software updates is a significant security risk. Updates often contain patches for vulnerabilities that hackers exploit.
- Example: The infamous WannaCry ransomware attack exploited outdated Windows systems, affecting thousands of organisations worldwide.
10. Over-reliance on default security settings
- Many organisations rely on default settings for software and systems, which are often not optimised for security. Also, in a bid to save money, SMEs often use unprofessional or out-dated open-source software.
- Risk: Hackers can easily exploit known default configurations.
By addressing these vulnerabilities, companies can significantly reduce the risk of breaches caused by human error.
Training is the key for SMEs
For companies, especially SMEs, the stakes couldn’t be higher when it comes to cybersecurity. Hackers exploit the weakest links in any system, and more often than not, that weak link is human error. While sophisticated security tools are essential, they can only go so far if employees are untrained or unaware of basic cybersecurity practices.
Basic precautions SMEs can take against cybercrime
Organisations must take proactive steps to mitigate these risks. Implementing regular training programmes can help employees recognise phishing attempts, use strong passwords and handle sensitive data securely. Establishing clear in-house policies, such as guidelines for BYOD use and data sharing, can further reduce vulnerabilities.
Ultimately, the onus lies with firms to prioritise cybersecurity. By empowering staff with knowledge and creating a culture of vigilance, companies can better safeguard themselves against the growing threat of cybercrime. In a world where hackers are constantly evolving their tactics, staying one step ahead is not just advisable – it’s essential.
