3 in 4 execs expect cybersecurity breaches from 'internal staff error'

'Given the increase in virtual/hybrid work, companies should do cybersecurity training at least quarterly'

3 in 4 execs expect cybersecurity breaches from 'internal staff error'

For all the talk of companies facing ransomware attacks, many executives (71%) actually believe that their company's next cybersecurity breach will likely be because of an internal staff error.

This is close to the 75% of respondents who said that their next cybersecurity breach would be because of an external hacker, according to a survey by EisnerAmper's Outsourced IT Services.

Other causes cited by the respondents include:

  • a third-party vendor (27%)
  • malicious internal staff intent (23%)
  • a lack of training (18%)
  • lost or stolen equipment (18%)
  • old or unreliable software or hardware (15%)
  • a lack of protocols or policy (13%)
  • significant use of open source or cloud technology (13%)
  • use of corporate equipment by non-employees (6%)

The findings come as various employers recently reported cybersecurity breaches, putting at risk the information of employees and customers alike.

In South Australia, over 90,000 public servants had their personal data stolen after a cyberattack on the state government's payroll provider.

In Canada, employees of Huron-Superior Catholic District School Board may have had their personal information compromised due to a recent cyberattack.

COVID-19 vaccine maker AstraZeneca even alleged in 2020 that its employees were targeted by cyberattacks from North Korea through fake job offers.

Rahul Mahna, partner and head of Outsourced IT Services at EisnerAmper, said the advent of virtual and hybrid work "exposed a wide array of new cybersecurity threats, many coming from the inside."

Preparations for cyberattacks

Findings from EisnerAmper's report also revealed that 51% of employers are only "somewhat prepared" for cyberattacks, while only 39% feel "very prepared" for them.

Only 50% of the 113 executive respondents also said they are conducting regular cybersecurity training, while 32% admitted that their annual spend on cybersecurity as a percentage of overall technology outlays was only between one and three per cent.

The report also found that only eight per cent of employers are planning to increase their IT budgets, while 24% plan to increase their IT staffing.

The pandemic has prompted "huge spikes" in COVID-19 fraud through phishing emails and fake websites. By 2022, KnowBe4 revealed that employees are more likely to be victimised by HR-related phishing emails.

Move investment urged

With the threat of cybersecurity coming from the inside, employers are urged to "optimise their resources" to ensure that they are taking proactive measures.

"An important first step is training staff and refreshing that education at regular intervals. Given the increase in virtual/hybrid work, most companies should be conducting cybersecurity training at least quarterly," Mahna said in a statement.

Employers are also told to put more premium on cybersecurity spending to avoid potential losses in the future.

"In good times or bad, cybersecurity spending should always remain a top priority that yields significant return in losses avoided," Mahna said.