July 16, 2018 By David Bisson 2 min read

Employee negligence continues to be a top information security risk for key figures in the enterprise, especially IT security professionals who rely on internal threat reports to do their jobs. This risk can take the form of genuine human error, a lack of security awareness or even deliberate attempts to steal corporate data for personal gain.

According to the 2018 State of the Industry report from document destruction company Shred-it, 96 percent of Americans said they view employee negligence as at least a minor cause of data breaches against U.S. companies. Some were even more convinced: Eighty-four percent of C-suites see it as one of their biggest information security risks — and 51 percent of small-business owners agree.

Reflecting this viewpoint, the majority of U.S. businesses revealed that they’re struggling to keep pace with modern workplace trends. In particular, 86 percent of C-suites, and 60 percent of small-business owners said they believe the risk of a data breach is higher when employees work remotely.

How can companies increase cyber awareness among nontechnical employees and better incentivize them to report potential security issues before they become full-blown incidents?

What Are the Consequences of Employee Negligence?

According to the Shred-it report, two main factors are driving up the level of concern over instances of workforce negligence, which includes accessing company systems over remote and unsecured networks or improperly disposing of sensitive data.

Employee carelessness is the first factor and has historically been one of the primary causes of data breaches. The IBM X-Force team uncovered as much in its 2018 Threat Intelligence Index, noting that negligent actions were behind two-thirds of total records compromised in 2017.

Employee negligence is the second factor and makes the job of IT security professionals more difficult. To adequately defend organizations against cyberthreats, security teams need employees to report any issues they come across. However, organizations don’t always encourage them to do so. According to a 2016 Ponemon report, 67 percent of respondents said their organizations don’t provide incentives for employees to report security issues proactively.

This lack of engagement can cause small issues to evolve into major security incidents. For example, 79 percent of respondents to a Keeper Security survey that suffered ransomware attacks said the threat entered their systems through phishing emails.

Employees can help identify phishing attacks — but without the knowledge or incentive to do so, many either fall for the scam or simply keep it to themselves. As a result, security teams must devote their resources and respond to these issues that could have been prevented in the first place.

How Companies Can Minimize the Effects of Human Error

Organizations can counter negligence among their workforce by integrating data protection measures, such as resiliency backup and other disaster recovery tools, into their business practices.

Companies should also continuously evaluate the effectiveness of their security strategies and ensure that internal protocols are keeping pace with the increasingly sophisticated threat landscape. These policies should include ongoing security awareness training for the entire company and provide employees with incentives to report potential threats.

More from

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today