The Weakest Link: 4 Types of Employees that Threaten Cybersecurity

Up to 95% of data breaches result from human error, according to a recent survey from Willis Towers Watson—and that means cyber isn’t just an IT concern. It’s an HR one, too.

“It’s a bigger problem than people may think, because hacking is what makes headlines,” says Eric Cernak, vice president at Hartford Steam Boiler, which has reached similar research conclusions. “But people are unfortunately the weakest link.”

Every employee could compromise a business’s cybersecurity. Cernak separates them into four main categories:

The trusting. “We all want to trust each other. Trust increases productivity—when people want to help their co-workers get the job done, the organization operate more efficiently,” Cernak says. “But that is one of the biggest reasons we have business email compromise” [see sidebar].

According to Willis Towers Watson, even though 43% of employees have received a suspicious email at work, 46% believe opening any email on a work computer is safe. “You don’t want to tell people to be skeptical, but some level of skepticism is healthy,” Cernak explains.

The efficiency hounds. Sometimes referred to as “shadow IT,” these employees “simply want to do their jobs faster and better,” Cernak says. “They may go after newer technologies that might not be as proven, or might not be sanctioned by the business or its IT shop.”

It’s nothing malicious, but when employees deploy software and services “without the knowledge of the people who are trying to control everything, they may inadvertently cause some damage to their organization,” Cernak explains.

The oblivious. Sometimes, staff is simply unaware of organizational policies and procedures. “Maybe they don’t know they shouldn’t leave their laptop on the front seat of their car when they run into the grocery store,” Cernak points out. “Or maybe they’re writing down their credentials and taping it to the cover of their laptop. There’s no malintent there—they just don’t know any better.”

The bad actors. “Unfortunately, you may have subversive people who are looking to make money, and they do mean harm,” Cernak says. “The only way you can get around that is by doing background checks and really knowing who you’re hiring.”

For tips on how to help your commercial clients reduce cyber risk associated with the human element, check out “How to Manage Cyber Risk: Start with People.”

Jacquelyn Connelly is IA senior editor.