The most significant risks to SMB’s don’t always come from threats with catchy names like Wanna Cry. Instead, the biggest threats can come from sources with names that are often more mundane like “Paula in Accounting” or “Dave in Purchasing.” That’s because the most acute cybersecurity risk in any organization comes from within. Yes, hackers can do their thing and need to be monitored, but Paula in accounting can be even more menacing.

Paula or Dave don’t need to be bad people. Chances are they’re just opening that video of cute puppies riding on a unicycle that their friend sent them. Or carelessly setting their password as ‘12345.’

The human element of cyber risk is the major cause of 90 to 95 percent of security incidents.

How to mitigate internal risk

There are a number of technical steps your IT department or service provider can and should take. One major, but often ignored is identifying the risky user. Once the risky user has been identified; then the key is to try to preempt poor practices that can be stopped, while not impact business productivity. This includes education and warnings on key poor behaviours.

The core issue is very often people who make mistakes, get tricked, or don’t know any better. Things like people choosing guessable (or crack-able) passwords, failing to apply updates, clicking their way into trouble on the web, and getting duped by phishing scams. These, in turn, provide the opportunity for attackers and malware to take a foothold.

Your IT department or service provider should be helping here — such as enforcing good password practices, maintaining appropriate updates and patch statuses, preventing access to blacklisted sites, and domains etc. Indeed, taking care of some of these baseline technical aspects can provide the safety net against many employee errors. Having said this, what we have found even more effective is education of employee awareness and training, to ensure that they appreciate the reason for some of the user-facing security controls and understand how to use them.

Ransomware and malware attacks are continually on the rise, so it’s important for every organization to implement security policies and procedures to keep your network and data safe. Businesses of all sizes need to take the time to develop formal, documented IT security policies and revisit these policies and procedures on a regular basis to keep them in line with your business environment.

Security is a Process not a Product