top of page
Search

A warning to businesses – Your biggest cyber security risk is your staff

When we talk about cyber threats, most people picture hoodie-wearing hackers hammering away at keyboards in dark rooms. But the truth is that one of the biggest threats to your business isn’t sitting in some distant corner of the internet, it’s sitting at a desk in your office. 

 

Yep, we’re talking about your own staff. It may sound harsh, but even with the latest cybersecurity measures in place, all it takes is one accidental click by an employee on a malicious link, and the entire business network could be compromised. 

 

Why staff are the weakest cybersecurity link 

We’re definitely not saying that your staff are careless on purpose. But when it comes to cyber threats, human error is the number one cause of data breaches. In fact, studies show that over 80% of breaches come down to a simple mistake, like clicking the wrong link or using a weak password. 

 

And the scary part is that it only takes one accidental click on a dodgy email or link to cause serious damage. We’re talking ransomware, data loss, system lockouts, you name it. Even the best tech security in the world can’t protect you if someone inside the business unknowingly opens the door. 

 

Common staff mistakes that lead to cybersecurity risks 

These common actions can create big problems: 

 

Falling for phishing emails 

Thanks to various AI tools, these are getting harder and harder to spot. Employees might click on a link or open an attachment that looks completely legitimate, giving attackers direct access to company systems. 

 

Falling for business email compromise (BEC) 

Cybercriminals often impersonate executives or trusted suppliers to trick staff into transferring money or sharing sensitive data. These emails can look completely legitimate, especially when they come from a real but compromised account, making supply chains and management teams key targets. You can find out more about protecting your supply chains here. 

 

Using weak or reused passwords 

Repeating passwords across platforms makes life easier for hackers. A single compromised account can open the door to multiple systems. To help you make sure that your passwords are solid, take a look at our password best practices guide. 

 

Failing to update software 

Updates might feel annoying but skipping them leaves big holes for hackers to crawl through. 

 

Ignoring company security policies 

Sometimes it’s due to confusion, other times it’s convenience, but failing to follow policies like secure device usage or proper data handling can create vulnerabilities. 

 

Practical measures to reduce staff risk 

Now you know how your staff could be a cybersecurity risk, here’s what you can do about it. 

 

Run regular cybersecurity training 

Educate staff on common threats, what to watch for, and how to respond. The more they know, the more likely they are to catch a phishing email or question an unusual request.  

 

At The West Midlands Cyber Resilience Centre, we offer Security Awareness Training that covers these areas. It’s designed to educate staff at every level and build long-lasting awareness. Training like this is an investment in your people, and by extension, the safety of your business. 

 

Use phishing simulations 

These test whether employees can identify suspicious emails in a safe, controlled environment. It’s a great way to raise awareness and reinforce lessons. 

 

Enforce strong password practices and two-factor authentication (2FA) 

Require passwords that are unique and complex and combine this with 2FA to add another layer of protection. 

 

Create clear, accessible company policies 

Security policies shouldn’t be long-winded documents no one reads. Make sure your policies are easy to understand, clearly outline what’s acceptable, and cover topics like device use, data sharing, and email etiquette. 

 

Make security part of your culture 

When security becomes second nature, rather than just a checklist, staff are more likely to think critically and take responsibility for staying safe. 

 

Don’t overlook physical security 

Security isn’t just digital. ID badges, locked cabinets, secure building entry, and even awareness about discussing sensitive information in public places all play a role, particularly in industries where the data being held is sensitive.  

 

Stay clear of old systems 

Using outdated software (yes, even Windows 95 still appears in some corners!) not only increases risk but also sends the wrong message to staff and attackers. Make it clear that staying up to date is part of the company’s defence. 

 

Working remotely?  

Many staff are logging in from coffee shops, airports, or home networks. Public Wi-Fi introduces its own risks, so make sure your team knows how to stay safe on the go. If you need help with how to do this then check out our earlier blog on safe remote working. 

 

Final thoughts 

Cybersecurity isn’t just something for the IT team to worry about, it’s a people thing. You could have the most advanced tech in the world, but if your staff aren’t clued up and confident, you’re still at risk. Invest in training your team, not just your tools, and you’ll be in a much stronger position. 

 

 

Need some support with your organisation’s cyber security? Contact us today to find out how we can help.  

Comments

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

 

The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Cyber Essentials Partners if you need specific support. For specific questions please contact us.

 

The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

WMCRC Logo New white.webp

The Cyber Resilience Centre for the West Midlands is a trusted resource for  support to protect businesses and third sector organisations in the West Midlands region.

USEFUL LINKS

Home

About Us

Contact Us

Privacy Policy

Terms and Conditions 

Legal Disclaimer

CONNECT WITH US

  • Facebook
  • LinkedIn
  • X

© 2024 The Cyber Resilience Centre for the West Midlands

bottom of page