Cyber security is one of the most talked about topics in the realm of business IT, and with good reason. Data breaches are occurring with alarming frequency, and their impact is growing.

Beyond the obvious examples affecting millions of records, such as the Anthem and Target breaches, there are myriad smaller—but still damaging—incidents. UC Berkeley, for example, recently experienced a breach exposing several hundred students’ Social Security numbers. Even such relatively minor events can have a long-lasting, negative impact on an organization’s reputation, hurting its prospects for years to come.

With all this in mind, it’s obvious that organizations of all sizes and sectors need to do more to protect their digital assets from the threat of exposure. As a recent examination of data breaches from Baker & Hostetler LLP highlighted, an effective cybersecurity strategy needs to focus heavily on employees’ information security awareness. Without high-quality security training, there’s simply no way to keep a business’s information safe.

“Employee negligence was responsible for 36 percent of all data breaches.”

Preventing data breaches

This latest study examined more than 200 data breaches from last year, according to Bloomberg BNA. Among these incidents, employee negligence was responsible for 36 percent of all data breaches with identifiable causes. This made worker mistakes the single biggest factor in security incidents. Additionally, successful phishing attacks—in which employees are tricked into opening malware-ridden files or links – accounted for a further 11 percent of data breaches. For comparison, external cyber attacks accounted for only 22 percent of cybersecurity failures.

Obviously, these statistics suggest that many companies are experiencing data breaches that can and should have been avoided. Many firms’ current policies and protocols are simply failing to prevent employees from making cyber security-related mistakes, and this has proven exceedingly costly for countless organizations.

To a significant extent, these issues can be traced back to a basic misunderstanding among decision-makers when crafting cyber security strategies. Speaking to Bloomberg BNA, Ted Kobus, co-leader of Baker & Hostetler’s privacy and data team, noted that organizations often have strict policies in place when it comes to what devices and other assets employees are permitted to take home. At first glance, this makes sense—after all, lost or stolen corporate-owned mobile devices can lead directly to data breaches.

However, as the news source pointed out, a cyber security policy centered on nonpermissive policies will not likely prove effective. Ultimately, workers will often ignore restrictions in favor of convenient practices, meaning that the implemented policies simply serve to limit the IT team’s oversight of employees’ behavior, further increasing the risk that a cyber security incident will occur.

A new approach to cyber security

This doesn’t mean that companies should stop creating and enforcing cybersecurity policies. It does indicate, though, that these policies should be reconsidered and, even more importantly, they should be supplemented with comprehensive employee security awareness training.

In terms of policy, companies need employee guidelines that take into account how workers can be reasonably expected to behave. Outlawing certain actions without offering secure alternatives forces personnel to choose between job performance and cybersecurity – a decision no worker should have to make. A good cybersecurity strategy not only forbids dangerous activity but also offers useful guidance to employees.

Just as importantly, companies need to provide personnel with the training they need to operate safely. This training should not just inform workers of best practices but also help them to appreciate the stakes involved. When employees understand the damage that data breaches can cause and how their actions can cause such incidents, they become far more likely to abide by reasonable cybersecurity protocols. This greatly improves the company’s data protection capabilities overall.