Time and time again, small to medium businesses (SMBs) believe that their organizations are too small to be on cybercriminal’s radars, but research shows that 46% of all cyberattacks are targeted at SMBs, and that 95% of cybersecurity breaches within these organizations are attributed to human error.

With this in mind, it is important to consider how employee negligence leads to cybersecurity incidents, and what preventative measures can be taken to avoid future risk. 

Negligence isn’t bliss

According to research, 22% of data leakages in the SMB sector were caused by employees, and almost the same amount was due to cyberattacks. There are several ways employees’ actions can unintentionally lead to serious security breaches and harm the cybersecurity of small and medium businesses:

  1. Weak passwords: Employees might use simple or easily guessed passwords, which could be effortlessly cracked by cybercriminals, ultimately resulting in unauthorized access to sensitive data. 
  2. Phishing scams: Employees might unknowingly click on phishing links in emails leading to malware infections and unauthorized access to the network. Most scammers can mimic an email address supposedly belonging to a legitimate company, and when sending an email with an attached document or archive, it turns out to be a malware sample. 
  3. Bring Your Own Device (BYOD) policy: BYOD gained greater impetus as a result of the successive lockdowns during the height of the COVID-19 pandemic. Employees frequently use personal devices to connect to corporate networks, which can pose a serious security threat if these devices do not have adequate protection against cyber threats. 
  4. Lack of patching: If employees use personal devices, IT staff may not be able to monitor the security of those devices or troubleshoot any security issues. Furthermore, the employees might not apply patches or updates to their systems and software regularly, leaving vulnerabilities that can be exploited by cybercriminals.
  5. Ransomware: In case of ransomware attacks, it is important to back up data and to have access to the encrypted information even if cybercriminals have managed to take over the company’s system.
  6. Social engineering: Employees might unintentionally provide sensitive information such as login details, passwords or other confidential data in response to social engineering tactics or phishing scams. Those more likely to be easily tricked are new employees who are unaware of the company’s typical cyber hygiene practices. 

How SMBs should take action

The high number of cyber incidents stemming from employee negligence proves all organizations need thorough cybersecurity awareness training to teach staff how to avoid common security mistakes.

At minimum, organizations need to install endpoint protection with capabilities for threat detection and reaction to reduce the risk of attacks and data breaches. Managed protection services will also assist organizations with attack investigation and professional reaction. To lessen the possibility of incidents brought on by employees, thorough cybersecurity awareness training that teaches how to prevent common security threats is also necessary.

To be truly assured that an organization has a strong cybersecurity posture in place, here is a list of industry expert recommendations: 

  • Use a protection solution for endpoints and mail servers with anti-phishing capabilities to decrease the chance of infection through a phishing email.
  • Take key data protection measures. Always safeguard corporate data and devices, including switching on password protection, encrypting work devices and ensuring data is backed up. 
  • Keep working devices physically safe. Do not leave them unattended in public, always lock them and use strong passwords and encryption software.
  • Even small businesses should protect themselves from cyber threats, regardless of whether employees work on corporate or personal devices. There are many solutions specifically engineered for small business that do not require significant time, resources or knowledge for deployment and management.
  • Finding a dedicated solution for small and medium businesses with simple management and proven protection features. Alternatively, delegate cybersecurity maintenance to a service provider that can offer tailored protection for a business.