As businesses are spending millions of dollars on technology andsoftware to protect themselves from cybercrimes, they maybe missing a leading cause of cybercrime by not investing theirmoney in training their own employees.

Human error is the leading cause of cybercrimes, accordingto BakerHostetler's 2016 Data Security Incident ResponseReport. Some of the most prominent companies learned that alltoo well in the last calendar year, as costly mistakes by theiremployees left their business vulnerable to hacks.

In the spring of 2016, Snapchat was the victim of aphishing scam, where hackers posing as the CEO convinced anemployee to email them the personal information — IRS Form W-2data — of about 700 current and former employees of theorganization. This included employee names, Social Securitynumbers, wages, stock-option gains and benefits. Shortly after theinformation was released, the employee realized that the originalrequest was not legitimate. Everyone affected by the scam wasquickly notified and offered free credit monitoring and identitytheft insurance.

A human mistake was also the leading cause of a recentbreach of Premier Healthcare, a multispecialty healthcareprovider. After the billing department failed to secure itscomputers, a laptop computer was stolen from its headquarters. Theelectronic protected health information (ePHI) that could have beenaccessed from the single laptop could affect roughly 200,000patients. The laptop was password-protected but not encrypted.

Employees reported the stolen laptop as soon as they realized itwas missing, and the company took a number of steps to locate thelaptop and identify the thief, including notifying patients andfiling a police report. Fortunately, the laptop was returned and acomprehensive forensic analysis revealed the laptop had not beenpowered on since it went missing.

This year, Snapchat, Premier Healthcare and every other businessbig, medium or small, must invest in cybersecurity protection. Theyhave to prepare their employees for the worst.

Here are three cybersecurity resolutions that offices need tomake going forward:

(Photo: Shutterstock)

1. Train employees with gamification.

In addition to sending around a list of dos and don'ts on how toprevent cyberattacks to employees, companies could get morecreative when it comes to training their staff.Businesses should consider using gamification for trainingexercises to present real-life scenarios to employees.

One way to do this is by having “pretend” hackers try to obtainproprietary information from employees. If an office doesn'tproperly react, it could provide as a great lesson for everyone. Ifthey react correctly they could win a prize. Every employee poses arisk, so training each individual is a critical element ofcybersecurity.

(Photo: Shutterstock)

2. Testing your response time.

Hackers are always going to be one step ahead due to theever-changing cybersecurity landscape. In preparation, companiesmust have a cyber response plan in place and need to be ready torespond to multiple scenarios.

Employees need to understand how to identify risks and theappropriate individuals or departments where they should reportfindings. In addition, every employee should be taught bestpractices, like how to create stronger passwords or how to spotsuspicious emails, so that they can use good judgement when online.If you suspect something, report it.

(Photo: Shutterstock)

3. Protect your crown jewels.

The most important thing that business can do is identify their“crown jewels,” which are their data assets that are most criticalto their organization and customers. Once the crown jewels havebeen identified, a company's security team can establish targetedcybersecurity controls to insure this data is secure andrecoverable.

While doing this, companies should make sure to conduct apenetration test to find out if their most important assets arevulnerable to hackers. This approach will save time and money. It'snot practical or cost effective to put the same level of protectionon all data, so target the data that's most important to thebusiness.

Christopher Roach is theNational IT practice leader and a managing director in the Risk& Advisory Services practice for Cleveland,Ohio-based CBIZ, Inc. Roach can be reached at [email protected].