By Adrian Hia, Managing Director for Asia Pacific at Kaspersky

Many small and medium-sized enterprises think they can do without cybersecurity solutions since they believe they are not the targets of cybercriminals.

However, a recent study found that nearly 46% of all cyberattacks are targeted at SMEs.

Besides, according to data from the World Economic Forum, 95% of cybersecurity breaches are attributed to human error, meaning some improper behavior might lead to financial or reputational loss or decreased productivity for the business.

A survey by Kaspersky found that 22 percent of data leakages in the sector was caused by employees.

Almost the same proportion was due to cyberattacks, which, at some point, makes employees almost as dangerous as hackers. Of course, in most cases, this happens because of employee negligence or lack of awareness.

There are various ways that employees’ actions can unintentionally lead to serious security breaches and harm the cybersecurity of small and medium businesses. The main ones are:

1. Weak Passwords: Employees might use simple or easily guessed passwords, which could be effortlessly cracked by cybercriminals, ultimately resulting in unauthorized access to sensitive data. There’s even a list of the most hacked passwords - check to be sure yours is not among them.

2. Phishing Scams: Employees might accidentally or unknowingly click on phishing links in emails, leading to malware infections and unauthorized access to the network.

Example of a mass malicious mailing message

3. Bring Your Own Device (BYOD) Policy: BYOD gained greater impetus as a result of the successive lockdowns during the height of the COVID-19 pandemic. At this time, staff in non-essential sectors were forced to work from home, and business continuity rather than security was foremost in the minds of company managers.

4. Lack of Patching: If employees use personal devices, IT staff may not be able to monitor the security of those devices or troubleshoot any security issues. Furthermore, the employees might not apply patches or updates to their systems and software regularly, leaving vulnerabilities that can be exploited by cybercriminals.

5. Ransomware: In case of ransomware attacks, it is important to back up your data – to have access to the encrypted information even if cybercriminals have managed to take over the company’s system.

6. Social Engineering: Employees might unintentionally provide sensitive information such as login details, passwords and other confidential data in response to social engineering tactics or phishing scams.

These are mistakes that employees can make out of negligence. But what can happen when an employee deliberately seeks to undermine a company’s security while employed or right after leaving their job?

More troubles may arise then.

Although innocent mistakes and ignoring cybersecurity policies were behind most leakages, security managers reported that around a third (36 percent) of employee-triggered leakages were deliberate acts of sabotage or espionage.

The high number of cyber incidents stemming from employee action shows that all organisations need thorough cybersecurity awareness training to teach staff how to avoid common security mistakes.

Businesses should use endpoint protection with capabilities for threat detection and reaction to reduce the risk of attacks and data breaches. Managed protection services will also assist organizations with attack investigation and professional reaction.

To lessen the possibility of incidents brought on by employees, thorough cybersecurity awareness training that teaches how to prevent common security threats is also necessary.