Last year, 1,800 companies experienced a data breach, collectively compromising billions of records and impacting more than 422 million people, a 42% year-over-year increase.

Understanding that the financial, reputational and operational consequences of a data breach or cybersecurity incident can be devastating, companies are pouring money into cybersecurity investments. More than half of companies say they will increase cybersecurity spending in 2023, and global spending on security and risk management is expected to grow by 11% this year, reaching $188 billion, up from $158 billion just two years ago.

While these investments are well-intentioned and appropriately prioritized, they often fail to address the underlying factors that enable everything from convincing phishing scams to devastating ransomware attacks to take down even the most well-prepared companies.

That’s because, in many cases, people, not systems, are the problem. Verizon’s most recent Data Breach Investigations Report found that 82% of data breaches involved the human element, a catchall term for company insiders who compromise company and customer data.

In other words, despite the best efforts of cybersecurity teams and the most robust protocols to prevent data breaches, company insiders are undermining cybersecurity readiness when it matters most.

Here are three ways people are putting company data at risk and the steps any business can take to protect their data and prevent the serious consequences that come with failure to do so.

Ignorance

Unsurprisingly, most employees are not cybersecurity savants. Digital defense simply isn’t top-of-mind as they pursue their day-to-day priorities and professional responsibilities. Their bad behavior isn’t putting data in danger, but their ignorance is a real risk.

For example, even as phishing scam attempts have soared in recent years, many employees are unaware of the threat and cannot reliably identify and respond to these malicious messages.

At the same time, digital hygiene best practices often go ignored or unattended as people fail to regularly update their account passwords, share credentials across accounts or rely on easy-to-guess password combinations.

Additionally, the transition to remote or hybrid work has further conflated the distinction between work life and personal life, with consequences for technology use and data security when employees use personal devices to access company data or use company devices for personal reasons.

Ignorant insiders don’t mean to put company or customer data in danger. Still, their actions or ineptitude can be as destructive as a sophisticated hacker, requiring companies to train employees in best practices, implement oversight security measures and maintain accountability standards for internal cybersecurity standards.

Malice

Conversely, some insiders act maliciously, intentionally leveraging their trusted position and network access to misuse company or customer data. These insider threats are often motivated by money, as data is a valuable resource in today’s online economy and can be easily bought and sold on the dark web or through online chat rooms.

Others may be motivated by professional ambition, revenge or espionage, but regardless of the motivation, the consequences can be costly and far-reaching. With many companies making difficult employment decisions in the year ahead, malicious insiders are a particularly acute risk, requiring a combination of human intel and software solutions to prevent malicious insiders from damaging the company’s bottom line or hard-earned reputation.

Stress

Insider threats are traditionally divided into two categories: Accidental and malicious. The former act in ignorance while the latter intentionally thwart defensive practices for personal gain. However, the most recent research illuminates a third category that companies can’t afford to ignore: Stressed-out employees.

As the Harvard Business Review explains, “Rather than focusing on malicious attacks, security policies should acknowledge the fact that many employee-driven breaches stem from an attempt to balance security and productivity.”

With employees reporting record stress levels at work, leaders should consider employee load management and personal well-being as cybersecurity concerns and personnel issues.

Moreover, decision-makers need to be especially careful to avoid developing cybersecurity protocols in a vacuum, instituting policies and procedures without the valuable employee input and buy-in that ultimately makes these efforts successful.

Investing in Solutions with Impact

Companies are making significant investments in cybersecurity to protect themselves from data breaches and cyberattacks. However, the human element, which includes employee ignorance, malice and stress, remains a major source of risk.

By training employees to recognize and respond to the latest threats, implementing software solutions to prevent misuse and accounting for employee stress as a cybersecurity issue, companies can significantly reduce their risk of a data breach.