Do you ever wonder what’s the biggest root cause of successful cybercrime and hacking exploits? Bad guys who want your money or sensitive information? Nope. Cyber-demonstrators, who want to make a political point? Hardly. It’s you and your staff.

Screamer headlines in the media give us plenty of examples of IT insecurity. But often, media reports leave out an important fact: human behavior is a major contributor to cyber-attacks and other IT security problems.

The costs of apathy and denial

Mix a love of convenience, the habit of procrastination, and a robust sense of denial. When it comes to network security, these very human flaws are a perfect recipe for disaster. “Security breach? Can’t happen here, ‘bro, we have the latest antivirus app.”

What cybercrooks know and we need to learn

The techno-wizardry of remote-controlled, distributed denial of services (DDoS) attacks makes it easy to forget the human element of cybersecurity. Governments and enterprises spend billions of dollars to develop and implement new technologies to solve what they see as a technology problem.

Improving IT security firepower certainly reduces the harm of cyber-attacks. However, the bad guys will keep the upper hand if we forget that:

  • We’re not doing enough to deal with cybersecurity’s biggest, most persistent threat — human behavior.
  • The easiest way to break into an IT system is to take advantage of users’ predictably poor cyber-hygiene.
  • It’s simpler and much less expensive than a techno-fix to identify users’ bad cybersecurity habits and promote good ones.

Why the human element matters

There’s a good reason why it’s time to make human behavior a bigger part of IT security—two reasons, in fact:

  • Cyber-crime recovery costs are spiraling. An Accenture study shows that the average yearly cost of cybercrime for international companies has increased by close to 62%, from $7.2 million in 2013 to $11.7 million in 2017. And these are just average direct costs.
  • Mitigation via human behavior is easier and less expensive. Adding technology solutions to your IT infrastructure is time-consuming and expensive. It takes less time, effort, and money to reduce cyber-threats by improving human behavior.

Given the costs and average 50-day recovery time cited in the Accenture study, it’s easy to see how positive human behavior engineering can take a bite out of the costs and harm of cyber-attacks.

Taking a bite out of cyber-crime

When there’s a data breach, its root cause is usually a vulnerability caused by employees, who:


  • Don’t recognize emerging cyber-threats. Cyber-attack methods and technologies are constantly changing. Keeping up with the bad guys requires vigilance and training.


  • Don’t know how to report incidents. Incident reporting should be part of every new hire’s security awareness training—and a topic of refresher training thereafter.
  • Engage in weak data security practices. In a recent report, almost all employees surveyed admitted to least one type of risky cybersecurity behavior.

So, what’s the strategy to reduce risks of cyber-attacks? Taking a new approach and taking action.

Psychologists look at cyberattack prevention

The human causes of security vulnerabilities are psychological. This fact encourages researchers into human psychology to offer offers these potential solutions:


  • Build strong defaults into security practices. Users generally accept and use default settings that are already configured on their computers and devices. So, consider starting with settings that help users do the right thing.


  • Use calendar commitments to encourage security updates. Using the ever-present “sometime later” update option is dangerous. Research shows that getting a specific commitment works much better. Nudge employees to devote a specific time on their calendar to complete important security tasks.
  • Compare employees to their peers. A sense of pride and competition help your sales staff work more productively. Consider adding the same approach to IT security best practices.
  • Avoid one-and-done security training. The only security awareness training that really works is an ongoing process, which uses periodic, on-the-job audits and reviews. This approach is most successful when employees learn when they make mistakes and how to avoid them in the future.

Highlight the most vulnerable parts of your security system

Looking for the best results of your cyberattack prevention strategy? Focus your security awareness on these employee behaviors and parts of your IT infrastructure.

    • Applications: Don’t install them unless IT gives the go-ahead. Yes, it’s hard to avoid the allure of shadow IT, so make the dangers of self-installed apps part of security awareness training.
    • Login credentials: Don’t share them. Often, password sharing gets little management attention, but it’s a security mistake that happens often.
    • Company files: Never upload files to personal cloud storage. Employees might have good intentions to work offline. However, there’s no way to know if personal cloud-based storage accounts have the robust security protocols, compliance features, or proper configurations that protect data at work. (They probably don’t.) The solution: clearly defined data storage and transfer policies. 
    • Business email: Be careful in how you handle it. Phishing exploits are getting very sophisticated. Making your staff aware of these subtleties is a prime topic for security awareness training.


  • Emphasis on awareness and prevention


  • Old habits die hard. Everyone—IT team members, tenured employees, and even C-level executives have bad habits that expose organizations to security threats. Current research and best practices suggest placing a higher priority on identifying and fixing internal security risks, providing security awareness training to protect employees and data against sophisticated, evolving threats, and emphasizing positive training tactics that help employees identify security mistakes and avoid them in the future.