SymQuest Tech Talk

5 Reasons Why Your Employees are Your Biggest Cybersecurity Threat

Written by Frederick Anderson | April 22, 2020

It happens every single day—people open emails from unknown senders, click on mysterious links out of curiosity, and even print out sensitive information and leave it sitting on the printer.

These actions certainly aren’t uncommon. But when they occur at your company, it’s a major problem for your business’s cybersecurity.

In this day and age, you know that IT security is vitally important to your business. It’s just as important as the physical security of your building. Firewalls, email filtering, security patches—these measures are well-known to businesses of all sizes. However, even if you have the right security software and monitoring in place, you may still be overlooking the biggest threat of all to your IT security: your employees.

Sure, your employees are good people. Chances are that they would never do anything intentionally to hurt your business. But human error is the cause of the majority of business cyber attacks. It’s not because people are trying to be malicious; it’s the result of preventable mistakes.  

We can’t assume that every employee knows and understands IT security best practices. Here are the top ways employees may be making your company vulnerable to a cyber attack.

1. Falling for Phishing and Link Scams


Phishing scams are designed to trick people into providing valuable information. The most common type of phishing attack that a business might experience is an email scam. Employees receive emails that appear to be from legitimate sources, but the real purpose of these emails is to trick people into providing sensitive information.

Phishers try to convince people to install malicious software or hand over information under false pretenses. Companies need to train—and test—their employees in order to prevent phishers from gaining access to this information.

79 percent of people claim to be able to distinguish a phishing message from a genuine one, according to a 2019 study presented by Webroot in partnership with Wakefield Research. But just because people are aware of the risks doesn’t mean they always follow best practices. According to the same survey, nearly half (49 percent) of participants admit to clicking on a link from an unknown sender while at work, and 29 percent admit to doing so more than once.

This is where employee training really comes into play. Many employees assume that the right defenses are in place to protect against these types of threats, however, technology is changing constantly. Phishing attacks and link scams are becoming more advanced, and a business’s technology can’t always keep up. It’s important for employees to be able to recognize the signs of a cyber attack instead of just relying on the company’s IT defenses.

2. Being a Victim of Social Engineering

Social engineering is a form of business attack that could be called a “con job.” It involves manipulating people to get them to break normal security procedures, often appealing to their willingness to be helpful. For example, the attacker might pretend to be a coworker who has some kind of urgent problem that requires access to additional network resources.

To avoid social engineering attacks, companies need to have clear security procedures in place. These procedures should include documentation for who has access to which pieces of information. That way, there can be no hesitations or second-guessing; the rules are clear.

3. Unrestrained Web Browsing

For many job functions, the internet is an invaluable resource. But browsing online can also mean treading in dangerous waters.

Many web browsers come equipped with features that help protect users from unsavory websites or ads, but the risks still exist. With web filtering, employees can be blocked from accessing websites that are known as malicious.

Web filtering isn’t simply a matter of making sure that your employees aren’t wasting time on YouTube or exhibiting questionable taste. The point is to take serious steps toward protecting your network while maximizing your workforce’s productivity.        

4. Bad Password Habits    

No doubt your company uses several applications, such as email, project management tools, and accounting software, to facilitate your work. Proper password management isn’t always common sense; employees actually need to be taught best practices for creating and protecting their passwords.

Password awareness should include the basics such as how to create a secure password, never writing a password down, and changing passwords every few months.

It may not be enough to simply tell employees the best practices. Take it one step further and make password protection a company policy. Put password changes on the calendar and make them mandatory.

Sometimes, employees complain that changing passwords so often and not being allowed to write them down makes them too hard to remember. If this is the case, use a password tool to securely store and save all of your company’s passwords. Set user-level permissions for who has access to which password.

5. Vulnerable Document Processes

Printing, storing, and sending confidential documents poses yet another security risk to your business.

Printers are so ubiquitous that many companies don’t realize they are also a security risk. But today’s printers are advanced, and many are fully-fledged networked computers that are vulnerable to cyber attacks—especially if they are not properly updated with password changes and the latest security patches.  

While data theft is a real possibility with printers (and security measures like encrypted connections and properly destroying printer hard drives should be implemented), employee printing behavior poses just as much risk. Here are some document-related employee habits that could be dangerous to your business:

  • Printing out sensitive information and leaving it sitting around
  • Leaving filing cabinets unlocked or otherwise accessible
  • Storing documents in multiple locations, such as in paper files and on your company server  
  • Being careless about who has access to files with sensitive information

All of these habits can be changed with education, awareness, and policy. Once business leaders understand the document security risks within their organization, the right measures can be put into place to prevent damage.

Protecting Your Organization

Monitoring and security software are vital components in any healthy business IT plan. But the human element of cyber security can’t be overlooked. Ensure that your employees have the tools—and especially the training—they need to help protect your business from a cyber attack.

Cyber security is everyone’s responsibility. If you need guidance to implement cyber security training and policies in your organization, contact SymQuest today and speak with an expert. 

Editor’s Note: This post was originally published on November 2, 2017, and has been updated for accuracy and current best practices.