Print Edition

  Email News Updates

VIEWPOINT: 1 Thing Most Cyber Breaches Have in Common: Lack of Education

By Terra Carnrike-Granata


Cybersecurity breaches are nothing new, but several high-profile cases recently are bringing new attention to a serious and growing problem. Malicious actors are getting more sophisticated in their attempts to subvert systems, using tactics such as spear-phishing to prey upon employees’ willingness and desire to be helpful. 

The average cost of a breach in the U.S. is $242 per record. Regaining trust and repairing a corporate reputation could add on to that expense significantly.

The fact that this is a growing problem is undeniable. There are a lot of reasons for the rise in cybercrime, including the sudden switch to remote work brought about by the COVID-19 pandemic. But even when employees are in the office, it’s easy to fall for a phishing scam, or leave systems vulnerable due to poor password habits. Here are just a few of the top vulnerabilities:

• Weak passwords — Choosing overly simple or easily guessed passwords is a long-standing risk.

• Unrestricted web browsing — Accessing the web is a modern business tool that can have many advantages, but unrestricted web browsing can lead employees to accessing sites riddled with malware, putting your systems at risk.

• Social-engineering scams — Social-engineering scams capitalize on the desire of employees to be helpful. Some of these scams might even happen over the phone, with scammers posing as coworkers or vendors, tricking your employees into disclosing passwords or bank-account numbers.

• Phishing, spear-phishing, and link scams — Email scams are widespread. Typically, an employee will receive an email that appears to be from a trusted source, such as a bank or vendor website, and will ask an employee to click a link to verify their account information. Once this process is complete, the attacker has access to your private information.

• Poor document control — Unlocked file cabinets, post-it notes that contain the latest passwords to systems, storing sensitive information in easily accessible files, discarded paperwork that remains un-shredded, and even documents left on printers are all examples of weak document security that could compromise your systems.

• Outdated or disabled browser-security software — Without the latest versions of anti-virus software in use on every machine, your office could be vulnerable.

Examining this list, it’s clear that malicious actors have two primary means by which to gain access to your systems: through holes in your technology, or by manipulating your employees. Businesses are aware that this is a problem, yet still can struggle to implement measures that will harden their cybersecurity defenses. Why is there such a disconnect?

Cost is frequently mentioned as a factor in delaying cybersecurity improvements. Although it is true that businesses may have additional IT expenses, especially if they are still using outdated hardware and software, the costs of upgrading systems will likely pale in comparison to the financial and reputational costs of a breach.

The most impactful step companies can take in hardening their cybersecurity defenses is training employees. All breaches share one commonality: educating people can reduce the rate of these attacks.

Cybersecurity training is not a one-time event. Rather, it is ongoing learning that will make the biggest difference. Short, frequent training will have a lasting impact — and, recurrent lessons allow for changes to be made in training, to adapt as malicious actors change their tactics. I’m reminded of Ben Franklin’s quote: “Tell me and I forget, teach me and I may remember, involve me and I learn.” 

You’ll need to involve every employee. Each person who has access to email or who uses your computers must be trained — including interns, and all the way up to the CEO. Malicious actors have become very adept at mimicking legitimate websites, and whether it is through a lack of understanding, carelessness, or unfamiliarity with the risks, employees are putting companies at risk.

Training doesn’t have to be expensive. Leaders should look to third parties to conduct training as threats and tactics so quickly evolve. Video training is available at a reasonable dollar amount, and the Center for Internet Security has a list of free resources. 

Cybersecurity training is one of the most essential steps you can take to protect your business. If you need help, reach out to your financial institution for recommendations. It, along with organizations such as the Cybersecurity and Infrastructure Security Agency (CISA), the Small Business Administration (SBA), and the Department of Homeland Security (DHS) have resources and help for companies of all sizes.        

Terra Carnrike-Granata is senior VP and director of information security at NBT Bank. She is responsible for designing and implementing sophisticated controls to prevent loss and mitigate risk, while also developing innovative ways to educate consumers and businesses on cyber threats — helping to keep companies and consumers protected. For more information, visit

Thank You For Visiting