Lack of employee training is behind 80% of company data breaches

When you think of cybersecurity, you probably think of cutting-edge tech tools used to keep companies’ data safe from outside attacks. But the real threat may be less technical than most organizations realize: good old human error. 

Over 80% of all company data breaches are caused by people, according to a recent report by cybersecurity resource platform SANS. Of these breaches, the most popular kind include phishing and business email compromise scams — when people are manipulated by an attacker to divulge delicate information — and ransomware. But employees alone shouldn’t take all the blame, according to Lance Spitzner, senior instructor at SANS. Companies play a role, too. 

“I am not a fan of saying people are the weakest link — that implies it's their fault,” Spitzner says. “I like the term, ‘people are the primary attack factor.’ And why is that? Because we've not done a good job at securing people.”

Read More: Cyber stress: This is why employees are more worried about their virtual security

Less than 25% of security awareness professionals have experience in training, communications, HR or other necessary skills for effective teaching, according to the SANS report. As Spitzner explains, this is usually because big companies will typically have robust IT and cybersecurity departments with over 100 staff and specialists focused on the tech, and task just one or two people from those teams to also lead security awareness programs with the other employees at the company.

“The human side of cybersecurity is literally an afterthought, and that is why people are so vulnerable. It's not that they're bad, weak or stupid — it's that quite often organizations invest in them so little,” Spitzner says. “The problem is, you have highly technical people in charge of the training. How do you engage your workforce? How do you make security simple for people? That’s hard to figure out for technical people.”

Not enough companies are thinking about cybersecurity as a two-fold problem, according to Spitzner. There is so much emphasis on the technology, hardware and practices necessary to keep devices safe, that companies often forget that attackers aren’t targeting tech — they’re targeting people. And without proper security awareness training, it’s easier for their attacks to succeed.

According to the Identity Theft Resource Center's 2021 Data Breach Report, there were 1,862 breaches last year, up 68% from the year prior, and exceeding 2017’s previous record of 1,506. And while remote work and security accidents at the employee level — such as emails sent to the wrong entities or misusing the company cloud — are semi-responsible, inadequate employee training is the top issue IT departments face. 

Read More: 4 ways plan participants and vendors can help improve cybersecurity

“There are security teams who think people are not even part of their job,” Spitzner says. “And we know what people need to do — multi-factor authentication systems. Why aren't people doing it? Because employees are confused and overwhelmed. Nobody is doing MFA simply because we're doing a bad job of communicating how.” 

The solution, Spitzner says, is investing as much money and resources into hiring full-time safety awareness staff with backgrounds in communications and people management instead of just tech. The silver lining? Organizations are starting to embrace that change and staff up. 

“Many of the organizations I know have added a full-time dedicated security awareness team just within the past year,” he says. “What companies should be doing, I'm finally seeing it happening.”