Cybersecurity is no longer an afterthought for today’s enterprise. High-profile data breaches and attacks have catapulted cybersecurity to the top of executives’ priority lists, and investments in cybersecurity solutions are soaring: The 2018 Harvey Nash/KPMG CIO Survey found businesses surveyed spend a combined $46 billion on cybersecurity every year.
Spend is still going up, too, as KPMG‘s report found a 23 percent increase in the number of professionals prioritizing cybersecurity investments this year compared to last.
However, even sophisticated cybersecurity technologies still struggle to identify and prevent some of the most basic cyberattacks. Take, for instance, the Business Email Compromise, a scam that is attributed to an estimated $5.3 billion in stolen corporate funds in 2016, according to the Federal Bureau of Investigation (FBI). The tactic relies on employee ignorance, not on system weaknesses, to find success.
Now, a new report — conducted by research group Ipsos for information security company Shred-it — suggests that, indeed, employees are often corporates’ weakest link in their cybersecurity initiatives. In the Shred-it Security Tracker published last week, Ipsos surveyed more than 1,000 small businesses, more than 100 C-Suite executives at larger firms, and more than 1,000 employees to assess cybersecurity strategies. One-third of employees admitted that their behavior at work has, at one point, been potentially risky for their employer. Employee negligence is the main cause for data breaches at the companies surveyed, researchers noted.
Shred-it Vice President Monu Kalsi said in a statement, “The study’s findings clearly show that seemingly small habits can pose great security risk and add up to large financial, repetitional and legal risks.”
Forty-seven percent of C-Suite executives and 42 percent of small business owners pointed to human error or accidental loss by an employee as the cause of a data breach, while more than a quarter of C-suite professionals and 17 percent of small business owners said human error at one of their vendors caused a data breach. Though companies large and small can agree that employees expose their firms to security risks, there is a significant difference in how companies of varying sizes address their employee weak points. Seventy-eight percent of C-suite professionals said they plan to train their staff on information security procedures in the coming year, whereas only 28 percent of small business owners said the same.
Only 35 percent of SMBs have a policy in place for employees to dispose of confidential information while working off-site, while 54 percent of larger firms have such a policy in place. The vast majority of C-Suite executives also revealed that they train employees on how to keep sensitive data out-of-sight while working in a public space, 71 percent are trained to identify fraudulent emails, and 73 percent know how to report a lost or stolen electronic device they use for work.
However, paper documents continue to present a challenge to corporates’ security initiatives. Nearly three-quarters of U.S. workers take notes on paper, and nearly two-in-five admit they have left such paper documents open on their desk when they leave for the day. More than a third of C-Suite executives said they know an employee had lost a paper document with sensitive company information.
Even electronic documents are not necessarily safe. Nearly half of C-Suite executives said they have had an employee that’s lost a company device. About a fifth of executives across all business sizes said they had suffered a data breach because an employee lost some form of sensitive company information.
“For companies looking to better protect their data, smart information security begins with giving employees access to smart information security practices and training,” Kalsi added. “Through consistent training and education, businesses of all sizes can take back ownership of information security and create a more security-minded work culture among their employees.”