It’s important to understand why people are a company’s biggest IT security risk. There’s a simple reason for this. People act like people, not like machines following programmed logic. Here’s one example: an employee tells an acquaintance from another business that the company is using an outdated version of the CRM. An employee working for a competitor overhears this conversation and makes a note of everything.  

Many hacking attacks start out this way. Another thorny issue is the behaviour of laid-off employees expressing their frustration. Most companies that have experienced attacks would agree that it would not have been possible to carry out a successful hacking attempt without the “human factor”. 

An aversion to complicated passwords is another all-too-human factor. Whether it’s the name of the family dog or a three-digit number, many passwords are just easy to guess. On top of that, people often reuse passwords or, in the worst case, note them down somewhere that is publicly accessible – such as on a Post-it. 

Employees are often unaware how dangerous these seemingly normal actions are. All it takes is one small-time criminal pretending to work for the cleaning company to type in a password that’s been left lying around – and steal company data on a USB stick or install malware. If they have a bit more time to try out the password on other PCs or systems, they will very likely be able to access even more critical data. 

People like to be praised. We like to hear that we’re doing a good job. When they’re in this mood, employees tend to reveal things about their job. An attacker can exploit this human weakness to tease out important information with a bit of skilful questioning. 

In addition, any attacker has access to all information shared on social media. This risk is particularly high for inexperienced or frustrated employees. Speaking of social media, the web applications of popular messaging services pose another risk if they are used on company computers. Every security vulnerability they have can become a gateway for attacks on your company systems. Not to mention, these applications are an easy way to spread dangerous files in the hopes they will be downloaded. 

Want to provide your employees with WiFi? Great idea! Want to make it accessible for private devices, too? Very bad idea. Your company has no control over the security of outside devices. This opens a doorway for attackers. The same is true of other private devices often used at work, such as USB sticks or external hard drives. This “shadow IT” normally exists without the IT department’s knowledge and is a security risk. 

It can also be dangerous to use company laptops for private purposes. Even normal recreational use increases the risk to the company – for example, if the employee uses private or unsecured public WiFi networks. 

Imagine your accountant has accidentally printed out two copies of the payroll. He throws the extra copy into the bin. Any other employee or – even worse! – a competitor could find it. This is all it takes for strategic company data to get into the wrong hands. 

The same is true of the digital world. Keeping sensitive data which is no longer required on a PC runs the risk of important information being exposed in an attack. Employees also might not report this kind of data loss – if they even remember still having the documents stored.