Just Why Are So Many Cyber Breaches Due to Human Error?

Often mentioned but seldom probed in the media is the biggest reason behind cybersecurity breaches – employee error. Two facts about this stand out. One is just how overwhelming employee errors are. The other is that the fault lies largely in the lap of companies themselves, not their workers.

Let’s start with a statistic. A joint study by Stanford University Professor Jeff Hancock and security firm Tessian has found that a whopping 88 percent of data breach incidents are caused by employee mistakes. Similar research by IBM Security puts the number at 95 percent.

Moreover, when a breached company finds the cause of the attack and the human culprit, the reaction is typically stern. According to Tessian, its aforementioned study, "Psychology of Human Error 2022, " one in four such employees lose their job within about a year, even though more than half of employees fall for a phishing email because the attacker impersonated a senior executive at the company.

They and surviving employees typically feel guilty and, predictably, fewer of these employees are reporting their mistakes.

This approach isn’t working. This isn’t to say that employees shouldn’t be held accountable. But after a proper lecture and probably a mandate to embrace more cybersecurity training, the focus should be on helping the employee do better in the future. Rejection helps nobody.

Ultimately, the mitigation of human error has to come from two angles – reducing opportunity and educating users. The fewer opportunities there are for an error, the less users will be tested. And the more knowledge they have, the less likely they are to make a mistake even when they face an opportunity to do so.

Most companies have done a pretty good job on the reduction of opportunity by typically investing time and money into bolstering their cyber defenses and supporting technology. They typically have a long list of anti-virus solutions, software and operating system patches, virtual private networks and vulnerability scanning across devices. Encryption is also becoming common.

On the cybersecurity education front, however, most enterprises are not doing a good job. Employees typically get a day or two of training when they are hired and thereafter some sort of brush-up once a year. This isn’t enough because many employees forget at least some of what they learn after a few months and, regardless, all employees need additional help with cybersecurity because it’s constantly changing. According to the Advanced Computing Systems Association, companies should host cybersecurity training every four to six months, preferably using interactive examples and videos.

At this juncture, unfortunately, too many employees remain insufficiently informed about cybersecurity, in part because security executives and managers put a higher priority on amassing technology. In particular, many companies prioritize having a broad array of complex cybersecurity tools, even though this may be counterproductive. According to IBM Security, security teams are overwhelmed by alerts and the growing number of tools they must manage. Big Blue estimates that enterprises use as many as different security products from roughly 40 vendors, which essentially boils down to building a clear picture with pieces from 80 separate puzzles.

Another indication that security executive may be misplacing their priorities is the continued reluctance among many companies to adopt incident response plans consistently across their organizations. Another study by IBM Security, with the help of Ponemon Institute, found that a whopping 74 percent of security and IT pros surveyed in 11 global markets didn't feel this was necessary. This seems to be a mistake given that IRPs are designed to expedite the response to an organizational breach to mitigate reputational damage and cleanup costs.

What businesses typically do when cybersecurity issues pop up is rely on their security department for help. This approach is too narrow, however. For a truly security-aware culture, all employees of the business must also be seriously committed to staying abreast of cyber threats. Creating such a culture is facilitated when leaders can influence their team members to adopt certain mindsets and behaviors – precisely the goal of corporate cybersecurity training.

Here are some additional company tips:

  • Improve password management. 123456 remains a surprisingly popular password, a recipe for disaster. Use more complex passwords, change them often, and always limit each one to one account. The best solution is probably the use of password management applications that allow users to create and store strong passwords without needing to remember them.
  • Be mindful that cyber criminals are always looking for new exploits in software. When such exploits are discovered, software developers tend to quickly fix the vulnerability and send out a patch to users before cybercriminals can compromise more users. But these not infrequently have to be downloaded by individual computer users, who often procrastinate and open the door for a breach. One such example was the 2017 WannaCry ransomware attack that targeted Microsoft Windows software. Microsoft distributed a patch months before the attacks occurred but many users postponed downloading, contributing to the infiltration of more than 200,000 computers worldwide.
  • The explosion of remote workers and the hybrid workplace requires companies to be more creative about getting the word out about the importance of security. When employees were predominately based in the office, it was easy to disseminate this message through placards and other means of workplace communication. To ensure a secure hybrid workplace, these reminders now need to be transmitted to employee home computers. And companies would be wise to use gamification to reinforce security awareness training because games are adept at keeping users engaged.
  • Training sessions should be run by teacher/coaches who are empathic and friendly. They also need to be open to taking questions, even if they seem simplistic. Many people, for instance, don’t readily embrace the negative impact of password re-use, arguing that there is no critical information tied to their account. They need to be nicely told this may be true but is nonetheless problematic if the same password is used on other accounts that link personally identifiable information.

Ultimately, companies must embrace more and better cybersecurity training. If it turns out that employees continue to make too many errors, they must explore why. They may find that lack of motivation is the root cause. Employees may see it as an annoyance or something they cannot really control. Either way, companies must work harder still with these folks. Serious employee support is the best way to mitigate breaches.


  • Security Today Launches 2023 Government Security Awards

    Security Today Launches 2023 Government Security Awards

    Security Today is proud to announce the launch of the 2023 Government Security Awards. The Govies honor outstanding government security products in a variety of categories. For this year’s awards program, participants can choose from 38 different categories to enter their product(s) into. Read Now

  • Back to the Basics

    Back to the Basics

    Security is a continuous evolution of practices and procedures. The developments in technology and advancements in threats make security difficult at times. Although security from one location may look different from another location, there is a common goal applied to security measures. The common goal is protection. Read Now

  • The Top Three Security Trends in 2023

    The Top Three Security Trends in 2023

    As security technology has become more widely used, the interest in new capabilities and increased security measures has increased. As we head into 2023, these three trends will shape the security landscape. Read Now

  • TSA Breaks Record Nationally and in Washington for Firearm Discoveries in 2022

    TSA Breaks Record Nationally and in Washington for Firearm Discoveries in 2022

    Transportation Security Administration (TSA) officers in Washington detected 164 firearms in travelers’ carry-on luggage in 2022, with the majority of the firearms discovered at Seattle-Tacoma International Airport’s (SEA) security checkpoints. Read Now

Featured Cybersecurity

New Products

  • Kangaroo Home Security System

    Kangaroo Home Security System

    Kangaroo is the affordable, easy-to-install home security system designed for anyone who wants an added layer of peace of mind and protection. It has several products, ranging from the fan-favorite Doorbell Camera + Chime, to the more comprehensive Front Door Security Kit with Professional Monitoring. Regardless of the level of desired security, Kangaroo’s designed to move with consumers - wherever that next chapter may be. Motion sensors, keypads and additional features can be part of the package to any Kangaroo system in place, anytime. Additionally, Kangaroo offers scalable protection plans with a variety of benefits ranging from 24/7 professional monitoring to expanded cloud storage, coverage for damage and theft. 3

  • BriefCam v6.0

    BriefCam v6.0

    BriefCam has released BriefCam v6.0, which introduces the new deployment option of a multi-site architecture. This enables businesses with multiple, distributed locations to view aggregate data from all remote sites to uncover trends across locations, optimize operations and boost real-time alerting and response – all while continuing to reap the benefits of BriefCam's powerful analytics platform for making video searchable, actionable and quantifiable. 3

  • Hanwha Techwin Wisenet XRN-6410DB4 / mXRN-3210B4

    Hanwha Techwin Wisenet XRN-6410DB4 / mXRN-3210B4

    Hanwha Techwin America, a global supplier of IP and analog video surveillance solutions, unveiled two new Wisenet X series NVRs that support the industry’s first video playback and recording of up to 8K super-high-resolution images. 3