It is a familiar story that tends to be repeated month after month, year after year: a large organization reports that its customer data has been exposed via a data breach, and notices are sent out to affected customers. In January 2023 alone, organizations such as Twitter, Chick-fil-A, PayPal, MailChimp, and T-Mobile announced data breaches. The organizations typically promise to redouble their efforts to close the gaps that led to the breach, enhance customer and employee cybersecurity training, and provide “friendly reminders” to customers about the need to remain vigilant against cybersecurity scams.

And while federal authorities continue to chase down bad actors, such as the FBI’s takedown of Hive, a ransomware group that has extorted more than $100 million from schools, hospitals, and others around the world, there are still many threats targeting small, medium, and enterprise-size companies. However, according to the results of an online survey conducted by EisnerAmper, external hackers (75%) and accidental internal staff errors (71%) were cited as the top two expected likely causes for cybersecurity breaches.

The online survey was taken by 113 predominantly chief executive officers/owners/ presidents, chief risk officers, chief finance officers, chief technology officers, chief operating officers, and vice presidents of finance during November 2022. Companies surveyed include financial services, real estate, manufacturing and distribution, and technology, with representation from other sectors such as healthcare, professional services, and nonprofits. Most companies are in the annual revenue range of $50 million to $500 million and have 10 to 99 employees.

Yet, despite the concerns about external and internal cyber threats, only 50% of survey respondents say they conduct regular training, and most executives interviewed for the survey said they will not change IT personnel nor increase their IT budgets.

One of the reasons that good cybersecurity can increase friction is the layered nature of a strong defense. Instead of relying on a single technology or strategy to thwart would-be hackers or careless employees, robust security practices are multifaceted and are designed to introduce friction.

“Similar to layers of an onion, the more strata that concisely fit together strengthen the overall endeavor,” explains Rahul Mahna, Managing Director at Eisner Advisory Group’s Outsourced IT Services team. “However, if you look at one layer on its own it appears weak and flimsy. It’s the job of an IT department to educate the firm’s people and [explain] the reasoning that one layer augments the security of other layers. If this is not explained clearly and comprehensively, then it will appear to be problematic and burdensome to the employees of the firm.”

This is also true for customers, who may feel that security measures, such as multi-factor authentication, captchas, and other security mechanisms that appear to make interacting with a company more difficult are necessary to ensure their safety, as well as the safety of the company.

“When we implement solutions in our practice, we spend a substantial amount of time explaining and educating on the ‘why,’” Mahna explains. “We have found that taking the time for this explanation period significantly mitigates the organization friction (and potential risk) that could occur.”  

The EisnerAmper survey also highlighted the disconnect between the awareness of potential cybersecurity issues that are the result of employee actions, and the use of internal training. According to the survey, 71% of executives believe a cyber breach could occur from internal actions, but 31% had not conducted a cybersecurity training event or session.

“We believe this stems from the idea that there is no “magic bullet” to solve an IT problem,” Mahna says. “To effectively have a cybersecurity mindset requires a commitment to a budget and constant review, training on and evolution of the programs in place.”

Organizations that collect and store large amounts of personally identifiable information (PII) are particularly at risk for cyberattacks and breaches because the data is extremely valuable, fetching anywhere from a few dollars (such as a customer’s address) or item to several hundreds of dollars (for a person’s complete medical record), according to Keeper.com. That is why Mahna suggests that organizations conduct IT risk assessments on an annual basis to gauge the firm’s cyber resiliency and its weaknesses.