Why Your Employees Are the Biggest Threat to Your Cybersecurity Posture

What is an organization’s most significant risk when defending against today’s most prominent cybersecurity threats? It isn’t its technology. What may surprise many SMBs is that, in many cases, the biggest risk to an organization is its people.

According to the recent Verizon Data Breach Report, 82 percent of incidents in 2022 involved a human element. While this is down slightly from the year prior (which clocked in at 85 percent), it still represents a significant majority of attacks that can result in significant adverse effects for an SMB or organization of any size, including financial loss, customer impact, data theft, operational downtown, and reputational harm.

Human error resulting in an attack can take many forms, but one of the most common is phishing. Phishing is a cyberattack where attackers send emails or other communications to trick individuals into clicking on links or downloading files with malware. Once clicked or downloaded, the tactic can be used to then potentially breach the organization or spread malicious software such as ransomware. According to one survey, 73 percent of organizations reported being victims of phishing attacks.

Another common type of human error attack is credential theft or reuse. This could include employees reusing passwords across multiple accounts, allowing attackers to compromise one password and access multiple potentially sensitive accounts. The Verizon Data Breach Report found that social engineering and credential reuse resulted in 45 percent of breaches in 2022 — a significant portion.

How can an SMB prepare its business to combat this type of risk? Education is one key piece to mitigating the risk posed by humans inside the organization. SMB IT leaders should take the time to educate their teams on the latest threats and best practices to help individuals pinpoint signs of a potential attack and mitigate risk. These best practices include password management, leveraging multi-factor authentication, spotting a phishing attack, safe web browsing, and other items.

There are many formats that this education can take. SMBs can host educational sessions or lunch and learns, for instance, to make educating on best practices engaging and fun. They can also consider investing in training tools, such as online courses or programs. These courses and programs can help pragmatize education, as well as testing tools such as phishing simulators that can put employees’ education to the test and ensure they are constantly vigilant for potential attacks.

SMBs should ensure they are employing these tactics often across the organization, but they should also recognize that it is not a one-and-done task. Cyber threats are constantly evolving, and SMBs should constantly educate employees on the latest attacks and refresh their memories on how to protect against them. By enabling their employees, SMBs and IT leaders can best prepare themselves to mitigate against today’s most significant risks.