No matter how hard you try, there’s simply no way to provide your clients with a 100% guarantee that their data and information systems will never be compromised. At least not with humans involved in the process. Despite all the news of data breaches and compromised personal information, and the education to eradicate a host of bad practices, people are still the weakest link in the IT security process.  That includes ignoring company password and web policies, or connecting unapproved devices to their corporate network.

Some employees simply enjoy beating the system. Consider it their James Dean moment: rebelling against authority by ignoring the rules. Whatever the reason for their failure to follow prescribed security protocol, solution providers can and should take a firmer stance with their customers in regards to data protection and compliance training. Some see it as an opportunity (if not a duty) to help their clients proactively address issues that could leave them open to significant fines and lawsuits. With the steadily increasing number of industry regulations and rules placed on businesses, especially relating to data privacy and security, that type of support is invaluable.

As our latest industry research report affirms, the employee risk is a real issue that someone has to address. Solution providers are in a prime position to lend an assist. Cyber Secure: a Look at Employee Cybersecurity Habits in the Workplace summarizes a CompTIA-commissioned survey of 1,200 full-time workers across the U.S. looking at their technology usage and security habits. This research was designed to assess cybersecurity awareness levels of employees in their work environment.

As frightening as the findings are, they may not surprise those who do regular onsite IT security evaluations or deal with similar client issues on a daily basis. Some point to potential gaps while others suggest an outright issue, but either way, it’s great information to review with your customers to. At a minimum, raise their level of concern. Some of the most relevant findings include:

• 63% of employees admitted to using their employers’ mobile devices for personal activities
• 94% said they connect their own laptops and mobile devices to public Wi-Fi networks
• 49% of employees have at least 10 logins, but just 34% have at least 10 unique logins
• 45% of respondents said they receive no cybersecurity training from their employers
• 36% of employees use their work email address for personal accounts, while 38% use work passwords for personal accounts

Those practices may explain why, according to the Ponemon Institute, 47% of U.S. adults were hacked in 2014 and 32% had their work device become infected within the past two years. And that trend is likely to get worse as more Millennials enter the workforce. That group is even more likely to have experienced a data breach (27%) or infected device (42%).

Whether they fail to appreciate the risks associated with these bad behaviors, or simply don’t think the policies apply to them, it’s a problem that every company needs to address. The problem is many SMBs simply don’t have the resources or the know how to do it effectively. Worse yet is that human error ranked low on the radar of businesses biggest concerns in the recent studies. Even if you can change their perception with industry information and research (including the CompTIA Cyber Secure white paper), most SMBs won’t know what to do.

At ChannelCon 2015, several members of our IT Security Community shared their own, personal horror stories (check out the video) from working with small business clients ─ as well as the steps they took to help fix each situation. In many cases, the solutions were fairly easy to implement after uncovering all the existing procedural and infrastructure gaps. 

What do SMBs need from their providers? Most are looking for training and help building company standards based on proven data protection best practices. My colleague, Seth Robinson, Senior Director of Technology Analysis for CompTIA emphasizes the opportunity this presents for channel firms with consulting aspirations. “SMBs need security professionals who can speak the language of the management team. After building consensus around acceptable risk and developing the appropriate policies, they can push the message down to the employee level with technology and training programs.”

As an IT professional, you gave an obligation to help your business clients understand the risks associated with network and data management. To that end, make sure evaluation and training program develop is a viable option for your business. If not, partner with others to ensure your customers and their employees have the resources and support they need to keep their information properly protected.