Insights
Published on May 25th, 2018

Employees pose biggest cyber security risk

Employees are the biggest weakness of many companies for their cyber security

Cyber attacks on companies have become a lucrative business model for many criminals. Small and medium-sized companies, which often underestimate the dangers of data thieves, are particularly affected. The biggest security risk: your own employees.

Digitalization and increasing networking are penetrating more and more areas of life. However, cyber security will play an increasingly important role in ensuring attributes such as confidentiality, integrity and the availability of information. After all, our society is increasingly dependent on digital structures.

However, the security of digital systems presents the economy with major challenges. According to a survey conducted by the management consultancy EY, more than 70 percent of all German companies have been the victims of cybercrime over the past two years, the majority of which are small and medium-sized enterprises (SMEs). Many of them attract criminals with attractive know-how, but at the same time signal less resistance than large companies, which usually have a professional security architecture. In medium-sized companies, on the other hand, one often rejects the idea that the topic is too annoying, that there is too little time and that there are no experts in the company anyway. Perfect conditions for data thieves and blackmailers.

In order to recognise the importance of cyber security, SMEs lack awareness of the risks on the Internet. As long as there has not been a cyber attack, many companies take the subject lightly. According to the motto “Nothing has ever happened to us before”, risks are not recognized and often only awakened after such an attack. In addition: the topic is complex, there are certain fears of contact. The solutions are also often complex and expensive. Often more than enough good reasons for the management not to recognize the topic of cyber security as a top priority are present. For lack of resources and understanding, leaders often rely on their often inadequate firewall and a mediocre anti-virus scanner. However, this is often not enough, as the study above shows.

Less than 50 percent are insured against operational failures due to cyber attacks

However, outdated or inadequate technology is not the greatest danger for smaller companies in the fight against criminals. The number one security risk is your own employees. Most bosses negligently assume that their employees will detect malicious email attachments as soon as they arrive in their inbox. If one in ten employees is careless for a moment, the door opens to attackers to take advantage using malicious email attachments. Equally popular with data thieves who use phishing e-mails in which they pretend to be an employee’s manager in order to order a bank transfer and withdraw money from the company in minutes.

The theoretical danger, which seems so far away for many people, can quickly become completely serious, not only with small and medium-sized enterprises. If a doctor’s practice loses sensitive patient data due to a cyber attack, their image can quickly be ruined and an entire existence can be at stake. Even a small shop that has to stop due to an attack from the network and cancel several jobs will quickly feel the economic consequences and will probably recover only slowly or great expense from the damage. Because not even half of all German companies are insured against such a business interruption, the management consultancy EY determined.

Politics can get things moving, but companies have to implement it

The topic has now also reached politicians. In the current coalition agreement, the CDU/CSU and the SPD stated that these small businesses are not yet sufficiently aware of the dangers of cybercrime. In addition to the 2016 cyber security strategy, the parties announced a national pact for cyber security. In addition to law enforcement, policymakers are focusing above all on a preventive approach and on raising awareness and regulating companies at risk.


This is reinforced by the basic EU data protection regulation applicable on 25 May 2018, which requires companies, under threat of high fines, to ensure significantly better protection of personal data with appropriate technical and organisational measures. The German Federal Office for Information Security is an expert contact for businesses while the Alliance for Cyber Security has created an instructive platform on the subject. All this is a good first step and we will see the practical impact of all these measures.

Only those who prepare, prevent the damage

It is not enough, however, to take politics alone into account. What is required above all are the companies themselves to be vigilant and sensitize their employees to digital security issues? They are often the weakest link in the chain and are exploited by attackers.

It sounds simple, but proactive prevention is actually one of the best measures against attacks from the Internet! A well-thought-out cyber security concept and employee training help to prevent cyber attacks in the first place. Through targeted prevention and training of employees with training videos, attackers are given no chance at all.

The article was initially published as Insider contribution on Xing in German here.