Common data security breaches caused by employees

Cyber-crime continues to threaten small businesses with more frequent and sophisticated attacks. It has been reported that a small to medium enterprise (SME) is successfully hacked every 19 seconds, and there are more than 60,000 hacking attempts per day in the UK alone.1 While technology such as spam filters and security solutions play an important role, the vigilance of your employees remains your best line of defence.

Unfortunately, employees make a range of mistakes that may lead to data breaches. From failing to install software security updates to using weak passwords and falling for scam emails, human error can have devastating consequences on data protection and system security. According to a study by Cybint, human error is the leading cause of 95% of cybersecurity breaches.2

A cyber liability insurance policy can provide protection in the event of data breach. Still, there is no substitute for well-informed and vigilant employees when it comes to cyber security.

Here are some of the most frequent, unintentional human errors that lead to data breaches.

Falling for a suspicious email

The rise in remote-working has presented a special opportunity for cyber-criminals. When working in an office environment, we may have vocalised our suspicion of an email to surrounding colleagues, creating a discussion and knowledge-sharing. Working alone means we rely on our own knowledge and judgement in that moment, and can result in falling for a phishing scam email, putting the business at risk.

Sending data to incorrect recipients via email

Sending an email to the wrong recipient is a common threat to data security. Who doesn't use auto-suggest functions when sending emails? It's easy to accidentally send confidential information to the wrong person, or even worse – groups of people.

In 2020, Sonos accidentally exposed the email addresses of hundreds of customers. In total, 450 email addresses were inadvertently exposed when they were copied (CC), rather than blind copied (BCC), into an email.3

This is a typical example of a skill-based error. The employee was familiar with the correct process but lacked care and attention when performing the task.

Publishing confidential data in error

In August 2020, almost 400 people in Powys were impacted by a data breach after contracting COVID-19.4 Public Health Wales admitted the mistake, explaining the data had been accidentally uploaded onto a public server.

However, over 18,000 people's data was available to view online for 20 hours before it was removed due to this error. The data had been viewed 56 times, but there was no evidence of misuse.5

Password security

According to the National Centre for Cyber Security's 2019 report, 123456 is the most popular password globally, and 45% of people reuse the password of their primary email account on other services.5

As well as failing to create strong, unique passwords, people are guilty of keeping passwords on post-it notes in open view, or sharing them with colleagues. This is another clear example of employees demonstrating a lack of security awareness.

Security updates

Outdated software is a welcome invitation for hackers. Employees ignoring software updates, disabling security features or downloading unauthorised software makes hacking easier for cyber-criminals.

When gaps in security software are discovered, developers fix the vulnerability and send out updates to all users before cyber criminals can compromise more devices. This is why users must install security updates on their computers as soon as they are available.

Phishing scams

A phishing email relies on deception to steal confidential information. Phishing scam victims are deceived into engaging with emails because they believe the email is genuine. Cyber criminals will typically use phishing emails to ask for:

  • date of birth
  • phone numbers
  • credit card details
  • home address
  • password information.

This information is then used to carry out fraudulent activity. Alternatively, a phishing email could contain a link which when clicked, releases malware into the system. The criminals might demand a ransom to return your systems to normal.

Action Fraud estimates that Britons were conned out of £3.5m in the first two months of lockdown, with cyber criminals cashing in on the uncertainty that the pandemic has caused.6 As of May 2020, the UK's cyber crime agency had uncovered 7,796 phishing emails linked to COVID-19.7

Adopt some of these simple approaches to help prevent data breach:

  • Raise awareness
    Increase training and awareness of how to detect a phishing email scam. Arrange training sessions for your employees with mock scenarios to help them identify phishing emails.
  • Install antivirus software
    Make sure antivirus software is kept up-to-date on all your business equipment.
  • Create a recovery plan
    Help minimise the damage caused by a cyber breach. Your plan should cover how to recover data quickly, ensuring your business continues to run as smoothly as possible.
  • Take out cyber liability insurance
    Cyber insurance has now become an essential cover for small businesses. Speak to us about what level of insurance your business requires.


1. https://www.cybintsolutions.com/cyber-security-facts-stats/
2. https://www.varonis.com/blog/likelihood-of-a-cyber-attack/
3. https://www.british-assessment.co.uk/insights/the-worst-data-breaches-in-history/
4. https://www.expertreviews.co.uk/speakers/1411498/sonos-email-address-leak
5. https://www.countytimes.co.uk/news/18719563.data-breach-made-personal-data-people-wales-tested-positive-coronavirus-public/
6. https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security
7. https://www.actionfraud.police.uk/covid19

UK SME Risk Report 

Download our first ever UK SME Risk Report to learn more about the key risks you should be planning for.