Experts Say Employee Error Accounts for Most Security Breaches

By Michael R. Overly, Eileen R. Ridley and Chanley T. Howell July 21, 2016
Experts Say Employee Error Accounts for Most Security Breaches

A recent study by U.K.-based Egress Software Technologies, an information security company, refutes one of the most common information security fallacies—that information security is a technology problem.

Most businesses view the responsibility of mitigating information security risks as being squarely in the purview of their information technology department. However, the Egress report reveals that human error actually accounted for nearly two-thirds of security compromises, far exceeding causes like insecure websites and hacking. 

While such technological measures as anti-virus software, access controls, firewalls and intrusion detection systems are clearly important, their effectiveness pales in comparison to the benefits gained by providing security awareness training to employees.

Just as troubling, a recent study report from Leesburg, Va.-based information security company PhishMe, the PhishMe Q1 2016 Malware Review, revealed a 789 percent increase in e-mail phishing attacks containing malicious code, including ransomware, in the first quarter of 2016 over the final quarter of 2015.

Humans Are Fallible

Phishing, which is an attempt to obtain confidential information or access to such information by fraudulently posing as a legitimate company or contact seeking information via e-mail, instant message or other electronic communication, tends to work well on employees who have not been trained to recognize these scams. A successful phishing expedition can result in the loss of confidential and financial information, system disruption, and consumer litigation exposure.

Every industry is impacted and at risk.

The results of these studies should serve as a clarion call to businesses. According to the fourth edition of the Common Sense Guide to Mitigating Insider Threats from the Carnegie Mellon Software Engineering Institute, security awareness training is the key to improved security. Yet, it is one of the most neglected areas in many businesses' information security programs.

Security awareness training for employees is one of the most important and effective means of reducing the potential for costly errors in handling sensitive information and protecting company information systems. Regardless of how much money and effort a business spends on its technological security measures, it cannot achieve an adequate level of security without addressing the human component.

Help employees understand that good security practices can benefit them personally.

Awareness training can ensure employees have a solid understanding of employer security practices and policies and can also teach employees the tell-tale signs of an attempt to gain improper access to computer systems and confidential information. In contrast, untrained employees are much more susceptible to malware, phishing attacks and other forms of social engineering. They can do substantial harm to a company's systems and put its data at risk. The recent spate of ransomware attacks highlight just how critical the human element really is, as almost every one of those attacks resulted from human error.

What Effective Training Looks Like

First, it is critical that training programs have the participation of, and include input from, all relevant stakeholders at the company, including those in the human resources, information technology, information security, legal and compliance departments.

A successful training program should:

  • Train employees on an ongoing basis. Avoid limiting training to when an employee is first hired or assigned to a new role in the organization.
  • Train creatively, not just in a classroom setting.
  • Look for opportunities to introduce interactivity into the training process.
  • Have a means of measuring progress.
  • To be truly effective, a security awareness program must provide "multiple methods of communicating awareness and educating employees as well (for example, posters, letters, memos, web-based training, meetings and promotions)," according to the Egress report.
  • Training can be conducted through a number of means:
  • Classroom sessions.
  • Webinars.
  • Security posters and other materials in common areas.
  • Brown-bag lunch meetings.
  • Helpful hints distributed to employees via e-mail or corporate intranet posts.
  • Simulated phishing attacks. (There are systems that will periodically send phishing e-mails to employees in an attempt to lure them into clicking on an attachment or a hyperlink; if the employee does click, the system will alert the employee that he or she has engaged in an insecure activity.)

Additionally, comprehensive and understandable employee policies are critical to a company's information security safeguards. Readable and effective policies can be used in conjunction with effective employee training to reduce data security incidents caused by human error.

Finally, one of the most effective ways to increase employee security awareness is to help employees understand that good security practices can also benefit them personally. Being security-aware not only serves to protect their employer's systems, but also helps in better securing the employee's own personal data and computers. For example, by being more vigilant in identifying potential phishing attacks at work, employees will become more vigilant in using home e-mail accounts and thereby better able to protect their own data, photographs, financial accounts, etc.

To assist businesses in effective security awareness training, we have developed this Employee Information Security Checklist, which highlights key areas for employees to better protect not only their employer's systems and data, but also their personal systems and data.


Michael R. Overly, Eileen R. Ridley and Chanley T. Howell are attorneys with Foley & Lardner LLP, an international law firm based in Milwaukee.


Job Finder

Find an HR Job Near You
Search Jobs


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect

HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.