Just Why Are So Many Cyber Breaches Due to Human Error?

Often mentioned but seldom probed in the media is the biggest reason behind cybersecurity breaches – employee error. Two facts about this stand out. One is just how overwhelming employee errors are. The other is that the fault lies largely in the lap of companies themselves, not their workers.

Let’s start with a statistic. A joint study by Stanford University Professor Jeff Hancock and security firm Tessian has found that a whopping 88 percent of data breach incidents are caused by employee mistakes. Similar research by IBM Security puts the number at 95 percent.

Moreover, when a breached company finds the cause of the attack and the human culprit, the reaction is typically stern. According to Tessian, its aforementioned study, "Psychology of Human Error 2022, " one in four such employees lose their job within about a year, even though more than half of employees fall for a phishing email because the attacker impersonated a senior executive at the company.

They and surviving employees typically feel guilty and, predictably, fewer of these employees are reporting their mistakes.

This approach isn’t working. This isn’t to say that employees shouldn’t be held accountable. But after a proper lecture and probably a mandate to embrace more cybersecurity training, the focus should be on helping the employee do better in the future. Rejection helps nobody.

Ultimately, the mitigation of human error has to come from two angles – reducing opportunity and educating users. The fewer opportunities there are for an error, the less users will be tested. And the more knowledge they have, the less likely they are to make a mistake even when they face an opportunity to do so.

Most companies have done a pretty good job on the reduction of opportunity by typically investing time and money into bolstering their cyber defenses and supporting technology. They typically have a long list of anti-virus solutions, software and operating system patches, virtual private networks and vulnerability scanning across devices. Encryption is also becoming common.

On the cybersecurity education front, however, most enterprises are not doing a good job. Employees typically get a day or two of training when they are hired and thereafter some sort of brush-up once a year. This isn’t enough because many employees forget at least some of what they learn after a few months and, regardless, all employees need additional help with cybersecurity because it’s constantly changing. According to the Advanced Computing Systems Association, companies should host cybersecurity training every four to six months, preferably using interactive examples and videos.

At this juncture, unfortunately, too many employees remain insufficiently informed about cybersecurity, in part because security executives and managers put a higher priority on amassing technology. In particular, many companies prioritize having a broad array of complex cybersecurity tools, even though this may be counterproductive. According to IBM Security, security teams are overwhelmed by alerts and the growing number of tools they must manage. Big Blue estimates that enterprises use as many as different security products from roughly 40 vendors, which essentially boils down to building a clear picture with pieces from 80 separate puzzles.

Another indication that security executive may be misplacing their priorities is the continued reluctance among many companies to adopt incident response plans consistently across their organizations. Another study by IBM Security, with the help of Ponemon Institute, found that a whopping 74 percent of security and IT pros surveyed in 11 global markets didn't feel this was necessary. This seems to be a mistake given that IRPs are designed to expedite the response to an organizational breach to mitigate reputational damage and cleanup costs.

What businesses typically do when cybersecurity issues pop up is rely on their security department for help. This approach is too narrow, however. For a truly security-aware culture, all employees of the business must also be seriously committed to staying abreast of cyber threats. Creating such a culture is facilitated when leaders can influence their team members to adopt certain mindsets and behaviors – precisely the goal of corporate cybersecurity training.

Here are some additional company tips:

  • Improve password management. 123456 remains a surprisingly popular password, a recipe for disaster. Use more complex passwords, change them often, and always limit each one to one account. The best solution is probably the use of password management applications that allow users to create and store strong passwords without needing to remember them.
  • Be mindful that cyber criminals are always looking for new exploits in software. When such exploits are discovered, software developers tend to quickly fix the vulnerability and send out a patch to users before cybercriminals can compromise more users. But these not infrequently have to be downloaded by individual computer users, who often procrastinate and open the door for a breach. One such example was the 2017 WannaCry ransomware attack that targeted Microsoft Windows software. Microsoft distributed a patch months before the attacks occurred but many users postponed downloading, contributing to the infiltration of more than 200,000 computers worldwide.
  • The explosion of remote workers and the hybrid workplace requires companies to be more creative about getting the word out about the importance of security. When employees were predominately based in the office, it was easy to disseminate this message through placards and other means of workplace communication. To ensure a secure hybrid workplace, these reminders now need to be transmitted to employee home computers. And companies would be wise to use gamification to reinforce security awareness training because games are adept at keeping users engaged.
  • Training sessions should be run by teacher/coaches who are empathic and friendly. They also need to be open to taking questions, even if they seem simplistic. Many people, for instance, don’t readily embrace the negative impact of password re-use, arguing that there is no critical information tied to their account. They need to be nicely told this may be true but is nonetheless problematic if the same password is used on other accounts that link personally identifiable information.

Ultimately, companies must embrace more and better cybersecurity training. If it turns out that employees continue to make too many errors, they must explore why. They may find that lack of motivation is the root cause. Employees may see it as an annoyance or something they cannot really control. Either way, companies must work harder still with these folks. Serious employee support is the best way to mitigate breaches.

Featured

  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

  • Report: Nearly 1 in 5 Healthcare Leaders Say Cyberattacks Have Impacted Patient Care

    Omega Systems, a provider of managed IT and security services, today released new research that reveals the growing impact of cybersecurity challenges on leading healthcare organizations and patient safety. According to the 2025 Healthcare IT Landscape Report, 19% of healthcare leaders say a cyberattack has already disrupted patient care, and more than half (52%) believe a fatal cyber-related incident is inevitable within the next five years. Read Now

  • AI Is Now the Leading Cybersecurity Concern for Security, IT Leaders

    Arctic Wolf recently published findings from its State of Cybersecurity: 2025 Trends Report, offering insights from a global survey of more than 1,200 senior IT and cybersecurity decision-makers across 15 countries. Conducted by Sapio Research, the report captures the realities, risks, and readiness strategies shaping the modern security landscape. Read Now

  • Analysis of AI Tools Shows 85 Percent Have Been Breached

    AI tools are becoming essential to modern work, but their fast, unmonitored adoption is creating a new kind of security risk. Recent surveys reveal a clear trend – employees are rapidly adopting consumer-facing AI tools without employer approval, IT oversight, or any clear security policies. According to Cybernews Business Digital Index, nearly 90% of analyzed AI tools have been exposed to data breaches, putting businesses at severe risk. Read Now

  • Software Vulnerabilities Surged 61 Percent in 2024, According to New Report

    Action1, a provider of autonomous endpoint management (AEM) solutions, today released its 2025 Software Vulnerability Ratings Report, revealing a 61% year-over-year surge in discovered software vulnerabilities and a 96% spike in exploited vulnerabilities throughout 2024, amid an increasingly aggressive threat landscape. Read Now

New Products

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles.

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.