85% of company data breaches relate to employees making the wrong choice

Just as the IPS YouGov survey revealed that UK citizens rank personal data security as our number one security concern these days, a research report from global technology advisors Gartner confirms a similar story for businesses: nearly half of all Board directors surveyed agree that cybersecurity is a risk to their business.

In fact, the only issue more concerning was government fines relating to regulation and compliance issues. Some of those fines can be triggered by data breaches so the two top corporate worries are very much related. Reducing the cypersecurity risk means significant investment is needed for ongoing efforts to educate employees to make smarter decision that keeps fraudsters out.

Protect your friends by sharing this article with them:

Gartner helps businesses better educate their employees about improving behaviours to keep scammers out of business networks and operations.  Their research sheds light on the true cost of scams to business and end customers (with the subsequent increase in prices for goods, services and premiums):

  • 10% of recent data breaches involved ransomware and the average payment, to get their data back, made by companies in January – March 2021 was £160,000.
  • The average cost of a data breach to companies in the US rose to $8.64 million in 2020.

During the pandemic there has been a rise in remote working, a break with the traditional use of office networks and company PCs and a rise in the ‘keyboard warriors’ working on their home laptop in the local Starbucks or even from a beach bar in Costa Rica.  This loosening of corporate control has led to an inevitable rise in the number of risks faced by businesses; risks that their own unique data can be compromised, stolen, shared or used against them in a ransomeware attack.  The risks start with basic hygiene, like how secure is the Wi-Fi network in that Costa Rican bar, but risks are growing in all directions as super sophisticated scammers design new and ingenious methods for getting behind company defences.  However, even as the tech wizardry of the scammers is on the rise, it remains stubbornly trek that breaches caused by employees clicking a fake email or unwittingly revealing useful information on a call are still the most common and the easiest win for the criminal.

Gartner recommends companies that follow three key principles to turn the risk around and transform employees into advocates for anti-scamming behaviours that protect the companies, their customers and their financial security.  As with consumers at home, employees need access to knowledge and education to ‘do the right thing’ so it is up to companies to:


1 – Set the Vision: Publish a list of signature behaviours

Get a cross-functional team together to agree on some achievable behaviours that everyone can recognise and adopts.  Underneath a vision like ‘We are a security-conscious workforce’ can be easy-to-understand behaviours like:

  • We use three word passphrases to construct passwords
  • We always forward suspicious emails to internal security
  • We always use the approved file transfer solution


 2 – Define measurable behaviours and outcomes (to track progress beyond tick boxes)

Companies need to conduct regular internal spot checks on employees’ security behaviour.  These insights reveal where to focus energies on prevention before the more costly need for ‘finding a cure’.   In a world where we know there is a surge in scamming attempts, security leaders need to measure, report and share internal trends in:

  • Month on month reports of phishing attempts forwarded to security team
  • Results of “mystery shopper” phishing simulations. How many employees still click on risky links?
  • Time spent reading security newsletters (and consideration for aligning training and certification to performance reviews and remuneration)


3 – Connect awareness and behaviours to measurable business value

If you measure the results of 1 and 2 you can link the changes in behaviour to what business leaders really care about: brand reputation, improvements in risk management metrics, fewer losses/downtime and reduce customer churn as a result of data losses and negative publicity.  Put simply, businesses need their training and knowledge sharing efforts to deliver improved decision making by employees that result in fewer cybersecurity incidents.

You can read more about Gartner’s report here:

IPS Summary

Losses from a major fraud at an insurance company need to be recovered by that company and will often lead to higher premiums for customers. Online fraud is becoming a more frequent ‘cost of doing business’ across sectors and industries. IPS stands for the interests of our members and we write to create awareness of the connection between prices we pay for goods and services and the threats that scammers pose to these prices.
Many members are employees as well. Without naming the company you work for we would love to hear from you about the efforts your company is making to keep scammers out.

Have your say

As an IPS member, you can leave us your thoughts, comments and experiences in the commments section below

Leave a Reply

You must be logged in to post a comment.