Are Your Employees Your Biggest Cybersecurity Risk?

Posted October 9, 2017 7:10 pm & filed under Articles
Are Your Employees Your Biggest Cybersecurity Risk?

Identifying Gaps in Information Security Programs

In 2017, the number of data breaches affecting organizations reached record numbers – totaling nearly 1,000 by the start of National Cyber Security Awareness Month in October. While organizations in the “other” industries category were the most frequently targeted by a large margin, hackers accessed the records of organizations in the medical, financial, educational and additional industries as well; underscoring that no employer is immune to a potential data breach.

Beyond the financial impact these breaches can have on businesses’ customer base and cybersecurity infrastructure, these attacks can cost employers significant amounts as a result of lost productivity as well. The Ponemon Institute reports that for businesses who are breached as a result of a phishing scam, the majority of the costs incurred are from lost productivity. In fact, businesses hit by such scams lost over $1.8 million on average in productivity!

Hacking/skimming/phishing attacks have been reported by the Identity Theft Resource Center as the leading cause of data breach incidents, accounting for more than half of the overall number of breaches. Of these, many were a result of CEO spearphishing efforts, in which highly sensitive data, typically information required for state and federal tax filings, was exposed. In fact, in 2016 the IRS saw a 400 percent increase in this type of fraud! The second and third most common cause of data breaches reported were accidental email/internet exposure of information and employee error. These three leading causes of breaches all share one notable commonality – they’re often or always caused by employees.

This startling commonality emphasizes the importance of the theme of the second week of National Cybersecurity Awareness MonthCybersecurity in the Workplace Is Everyone’s Business. Businesses frequently recognize the importance of having strong cybersecurity technology in place, as demonstrated by the $90 billion expectedly spent on information security in 2017, an increase of 7.6 percent over 2016. However, one area of cybersecurity businesses often don’t put enough emphasis on is employee training on their role in protecting the cybersecurity of their employer. In comparison to the large total spent in information security, only an estimated $1 billion is spent on cybersecurity awareness training. You read that right – employees cause the majority of organizations’ data breaches, but only 1% of information security budgets on average are spent on training employees how to mitigate risks of falling victim to these attacks.


Employees cause the majority of organizations’ data breaches, but only 1% of information security budgets on average are spent on training employees to prevent these attacks.

Investing in quality, continual security awareness training is a critical first step in helping your employees understand their role in protecting your business from cyberattacks. Ponemon recently calculated the effectiveness of anti-phishing training programs and found that the average-performing program resulted in a 37-fold return on investment, even taking into account the loss of productivity during the time the employees spent being training. October is an ideal month to amp up these efforts since it’s National Cybersecurity Awareness Month. This month, many public and private organizations, including ourselves, are working together to bring awareness to cybersecurity and the steps business and their employees can take to better protect themselves and the customers they serve. NCSAM has a vast library of educational resources available with best practices that your businesses can share with your employees throughout the entire year to help turn cybersecurity from an often-forgotten annual training, to a cornerstone of your company culture.

Transforming cybersecurity from an infrequently occurring webinar into a key part of company culture can result in big dividends for businesses. According to Siobhan MacDermott, principal in the cybersecurity practice at Ernst & Young, “If good security hygiene permeates a company, then it’s something that can be successful.”  Joe Ferrara, CEO of Wombat Security Technologies, argued that videos and classroom-based training that don’t engage employees aren’t as effective as running simulated phishing attacks against organizations and educating employees with shorter, more digestible training modules. Safety product manufacturer MSA Safety, implemented one such training program and within the first year their rate of employees failing the simulated phishing attacks reduced from 25 percent to between 5 and 8 percent. “We have lowered our risk considerably,” said Steve Rocco, the company’s global cyber security manager.


 Safety product manufacturer MSA Safety, implemented a training program and within the first year their rate of employees failing the simulated phishing attacks reduced from 25 percent to between 5 and 8 percent.

Businesses can further commit to creating a culture of cybersecurity by offering identity protection and resolution service as an employee benefit. An increasing percentage of businesses already recognize the value of offering this benefit. Doing so not only emphasizes your commitment to data protection, but also helps further your continual cybersecurity education mission, since quality services include resource libraries and emails that share identity protection tips and best practices with employees. Additionally, in the event your business does fall victim to a breach, having a certified, compassionate resolution team available 24/7 to help employees affected by the breach resolve their identity theft and fraud cases can help offset some of the costs associated with lost productivity.

To learn more about offering identity protection as an employee benefit from a provider consumers have trusted for over 185 years, request a demo.