There is no shortage of horror stories tying negligent employees to major data breaches. From Marriott and Twitter to lesser-known small businesses, the evolution of cybercrime consistently shows that successful attacks rely on the human factor to succeed.
Employee negligence is the primary cause of data breaches in both large and small businesses. These breaches cost companies an average of $3.86 million globally, but for the US, that average jumps to $8.64 million. What about smaller businesses who don’t have the assets to make the situation right? Most are forced to close their doors due to costly fines, loss of reputation, and loss of business.
What is employee negligence?
Work securely from anywhere
When you hear of large-scale data breaches on the news, with rare exceptions, they didn’t take place because a disgruntled employee woke up and decided to cause mass chaos. They happened because very good employees made mistakes, took shortcuts, or were fooled.
Security risks caused by negligence of well-meaning employees occur every single day, whether business owners know about it or not. An employee sees a popup message on their workstation alerting of an outdated program that needs updating, but unknowingly installs malware. Another employee receives an email seemingly from HR asking them to click on a link to update information in their employee file that turns out to be a phishing attack. These are real scenarios that take place every day.
Marriott Data Breach
In January 2020, through the use of malware, attackers gained access to 5.2 million records of Marriott guests. These records included names, contact information, birthdays, loyalty account details, and personal preferences. As a result, Marriott may face severe penalties because the stolen data included personally identifiable information.This breach occurred because the credentials of two Marriott employees were compromised and used to log in to one of the hotel chain’s third-party applications.
Twitter Data Breach
In July 2020, a successful phishing attack on Twitter employees allowed attackers to gain access to 130 private and corporate Twitter accounts with at least a million followers each. They used 45 of these breached accounts to promote a Bitcoin scam. Some notable hacked accounts included Barack Obama, Bill Gates, Michael Bloomberg, Jeff Bezos, Elon Musk, Apple, and Uber. As a result of the breach, Twitter’s stock price fell by 4% and the release of it’s new API was halted to update security protocols and educate employees on social engineering attacks. This breach occurred because Twitter employees working from home were fooled by attackers posing as Twitter IT administrators.
Protecting Businesses From Employee Negligence
While there’s nothing you can do to 100% guarantee that you’ll never face a data breach caused by a negligent employee, there are several things that companies can--and given the cost of a breach--must do to prevent employee negligence.
Protect Employee Devices
Any computer used to conduct company business, whether company-owned or personal, needs to have browser protection. This front-line defense works within the browser where most threats are found and blocks them BEFORE they reach the company network, not afterward like traditional antivirus programs.
Provide Company-Wide Cybersecurity Education
Employees should be trained on the creation of and use of secure passwords, identifying phishing attempts, including CEO scams, the ways malware can enter a network, and about social engineering attacks. To save on company time required for training, multiple online training platforms offer evaluations that can target training for individual employees in areas where they need the most help.
Create & Enforce Cybersecurity Policies
In today’s world, requiring password updates every 90 days isn’t enough. Employers need to set expectations for employees that encourage safety. Malware is often disguised as software update alerts. Should employees perform their own software updates or should these be handled by an IT administrator. Do employees know who to contact if they experience a problem with their computer or are they at risk of falling victim to a tech support scam? These are all things that should be addressed in company cybersecurity policies.
