That's according to Patrick Costello, co-founder of cyber insurance firm Evolve MGA, which specializes in helping businesses get coverage for all the costs associated with cyberattacks and data breaches, including loss of income, reputational harm, extortion costs and so on.
The main causes of data breaches, according to Costello, are:
1. Lack of employee cybersecurity training
All employees should be briefed on cybersecurity best practices so they protect not only their own data but a company's entire network of sensitive data. Costello said a good way to do this is to come up with games or reward systems that enforce cyber safety.
"Most people think that to get hacked, their devices or accounts have to be individually infiltrated," Costello said. "The scary thing is, when large companies get hacked, everyone’s credentials that are associated with the company in the attack are likely going to be exposed on the internet. It gets even worse if you use the same password for multiple accounts."
2. Vulnerable users' tendencies to click on malicious links
Vulnerable users who have not been briefed on cyber-safety best practices are the most likely to click on malicious links without being aware of the danger those links pose to their devices and sensitive data.
The happens most often when a victim opens a phishing email, or an email disguised to look real and like it is coming from a known and trusted source that asks the recipient to visit a fraudulent website and share personal information or download a malicious file that can infect a device, Costello said.
3. Unsecured and out-of-date company computer networks
Companies that fell victim to two of the most major ransomware attacks in the past year had not "updated their systems with the most current patches," or security updates, that could have prevented their networks from being attacked, Costello said.
"The systems we use every day have vulnerabilities," Costello said, adding that companies should be doing regular vulnerability assessments and backups.
"There are [computer system] patches that come out regularly that companies should take advantage of," he said.
4. Weak passwords without multifactor authentication
Luckily, many digital applications require strong passwords with a combination of letters, number and symbols these days. Some applications even require two- or multifactor authentication, meaning even a strong password won't log a user into an account. Instead, users have to connect things like phone numbers, email addresses, other connecting apps and so on to verify their identities.
When these settings are not required, users should take it upon themselves to set up strong authentication procedures, Costello explained.
Users can also buy security tools to strengthen their networks, Jordan Mauriello, SVP of managed security at computer security service Critical Start told FOX Business.
"Good, basic security hygiene is still a key to good defense," Mauriello said. "Proper password policies and removal of local administrator accounts. Implementation of proper network segmentation. Good patch management and remediation process."
"However, for many organizations, this is still not enough to prevent all of these threats and organizations must look beyond traditional controls and onto next-generation technologies to help detect and prevent these kinds of attacks and the associated business impacts they can have," he said.
Mauriello recommended tools like endpoint detection & response (EDR), next-generation endpoint protection (EP) and true security orchestration, automation and response (SOAR) capabilities "to and prevent these threats in a timely fashion."