Few store managers would respond to revelations that a junior assistant had been stealing from the cash register by investing thousands of dollars in new security cameras. It could be far cheaper for them to instill hiring practices that vet employees and keep the bad ones out.
But all too often CEOs confronted with cyber attacks tend to do the opposite: they fret about possible weaknesses in their technology defenses, rather than taking a hard look at the people in their organization.
Evidence shows that many cyber attacks—estimated to cost the average American company more than $15 million per year—could be prevented with better people-management protocols.
Employee negligence or malicious acts accounted for two-thirds of cyber breaches, according to historical claim data analyzed by London-based consultancy Willis Towers Watson. Just 18% were directly driven by an external threat, and extortion accounted for a measly 2%.
Overall, the research found that about 90% of all cyber claims stemmed from some type of human error or behavior.
“The simple truth is that a data compromise is more likely to come from an employee leaving a laptop on the train than from a malicious criminal hack,” said Anthony Dagostino, the company’s head of global cyber risk.
Addressing the problem could be a simple matter of conducting training sessions that advise employees to use approved software and apply strong passwords—or applying common sense practices around technology access. For example, perhaps it’s not such a great idea to allow staff to take their laptops home on a Friday evening, should they happen to be drop by the local bar to unwind after a hard week’s work.
Many hacks and extortion attempts occur when criminals impersonate senior executives at a company: a problem that can be dealt with by instructing staff to reply to senior executives in a fresh email, rather than clicking reply.
As for more malicious behavior, managers may want to introduce periodic background checks of employees to ensure that access to sensitive information is only provided on a need-to-know basis.
“The ‘people’ factor is often ignored, yet it is a critical element in building a strong defense,” according to Deloitte risk advisory partners Ivan Zasarsky and Tommy Viljoen.
“Computers don’t create crimes. It is the people who are using the computers that commit the crimes. And people in the organizations can be—and often are—complicit.”