Insider threats can be caused by contractors, vendors or employees. Sometimes due to malicious intent, but commonly due to negligence – in other words, human errors.

Author: Johnty Mongan


Human error contributes towards 95% of cybersecurity breaches1, however, it is the easiest to prevent. Business organisations need to identify the loopholes that make space for these human errors, and implement integrated cybersecurity systems.

Remote working options have contributed towards the vulnerability of enterprises to cyber threats. Unawareness is one of the major causes of cybersecurity breaches caused by human errors and, therefore, preventive. Precautionary measures need to focus on improved employee competence to handle cyber risks appropriately. Stringent policies along with proper awareness within the workspace will help to minimise the occurrence of cyber incidents.

Types of Human Errors

Human errors within the cybersecurity landscape can be categorised into decision-based errors and skill-based errors. Decision-based errors are caused due to lack of adequate knowledge to make the right decision. Inattentiveness and negligence of the employees cause skill-based errors.

Some of the common cyber risks caused due to human errors are listed as follows:

  • Poor password hygiene makes it easier for bad actors to step into the enterprise’s network
  • Using insecure devices exposes the enterprise’s systems, network and data to exploitation
  • Misdirected emails can cause data loss which may further result in loss of trust and breach in contracts
  • Ignoring software updates and using outdated software makes it easier for bad actors to find their way into the system

Impact of Cyber Threats caused by Human Errors on Enterprises

In the digitalisation era, combating cyber threats is one of the most underinvested areas. Cybersecurity breaches cost the organisations financially, the social impact following these incidents damage the company’s reputation in the market. Consumers tend to stop engaging with enterprises that experience a cyber-attack, irrespective of the factors responsible for the cyber-attack.

According to Cost of a data breach report by IBM, the average cost of cybersecurity incidents caused by human errors is approximately $4.35 million.2 The lack of adequate framework to assess the financial impacts caused by cyber-attacks may not reflect the actual numbers. It has been found that human errors are responsible for 19 out of 20 cyber breaches. Eighty three percent of the cyber-attacks identified within the UK businesses were phishing attempts.3

Incidents where human errors impacted globally renowned organisations:

Sequoia Capital, a globally renowned venture capital firm experienced a human error caused cyber-attack in February 2021. The result of a phishing campaign allowed a third party to access financial and personal information of over 1,100 corporate clients seeking investors. Sequoia Capital took immediate preventive measures to mitigate the cybersecurity risks in the future. They remediated the configuration that allowed the initial access, improved detection technology for better visibility of malicious content in an email, enhanced phishing awareness by offering cybersecurity training and thoroughly reviewed the networks and systems.

Toyota Boshoku Corporation, the European subsidiary of Toyota Group, fell victim to a business email compromise situation. In August 2019, an employee was tricked to transferring a hefty amount to a hacker’s account, after an email seemingly sent from a business partner requested the funds to be transferred in a specific bank account. The financial and social impact of this incident was significant. The company immediately created a team of legal professionals with the objective to take necessary action against the people involved in the incident.

Preventive Measures to Control Cybersecurity Incidents caused due to Human Errors

Phishing simulations: Phishing is a real threat to your organisation. A phishing email will intend to obtain sensitive information like bank account details, login credentials from your employees and will use these information to commit fraud, extortion and/or identity opportunity of theft. Phishing simulations will ensure that the employees are more careful and will help your organisation to assess your employee’s contribution towards protecting your business from cyber threats.

Strong password management: Strengthening the password management system within the organisation will prevent the occurrence of the breaches caused due to poor password hygiene. It is further necessary to educate employees of the need to set complex passwords.

Frequent awareness training: Human errors are majorly caused due to lack of awareness of cybersecurity and its impact in the bigger picture. The objective of awareness training is to help employees understand risks associated with cyberspace. Employees should be trained to identify cybersecurity threats and how to deal with them appropriately.

Updating security policies: Clear instruction in the security policies will help employees to know how to handle sensitive data. Updating the security policies frequently will allow the organisation to notify the employees of the security policies so that they can get familiar with the same.

Filtration of incoming emails: Flagging suspicious emails is the easiest way to prevent phishing mails from landing your employee’s mail box. Security software strengthens the filtration process and is likely to identify and stop the phishing mails reaching the targets.

Controlled access to sensitive data: Limited access to sensitive data will limit the exposure of these data to different threats. The level of permission should be made based on the roles of users. Further, any request to access data should be approved by the managers.

The most effective way to address cybersecurity threats is by structuring a strategic approach and implementing the same. The primary requirement is to investigate and identify the factors that can cause cybersecurity threats. Gallagher’s Cyber Risk Management works towards guiding enterprises to train employees on cybersecurity which will help in controlling the risks of cyber incidents caused by human errors.

For more information, please contact:

Author Information


The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.