As businesses are spending millions of dollars on technology andsoftware to protect themselves from cybercrimes, they maybe missing a leading cause of cybercrime by not investing theirmoney in training their own employees.

Human error is the leading cause of cybercrimes, according toBakerHostetler's 2016 Data Security IncidentResponse Report. Some of the most prominent companies learnedthat all too well in the last calendar year, as costly mistakes bytheir employees left their business vulnerable to hacks.

Related: Are millennials a cybersecurity risk atwork?

In the spring of 2016, Snapchat was the victim of a phishing scam, where hackers posingas the CEO convinced an employee to email them the personalinformation — IRS Form W-2 data — of about 700 currentand former employees of the organization. This included employeenames, Social Security numbers, wages, stock-option gains andbenefits. Shortly after the information was released, the employeerealized that the original request was not legitimate. Everyoneaffected by the scam was quickly notified and offered free creditmonitoring and identity theft insurance.

Related: The 3 R's to remedy a cyber breach

A human mistake was also the leading cause of a recent breach of Premier Healthcare, amultispecialty healthcare provider. After the billing departmentfailed to secure its computers, a laptop computer was stolen fromits headquarters. The electronic protected health information(ePHI) that could have been accessed from the single laptop couldaffect roughly 200,000 patients. The laptop was password-protectedbut not encrypted.

Employees reported the stolen laptop as soon as they realized itwas missing, and the company took a number of steps to locate thelaptop and identify the thief, including notifying patients andfiling a police report. Fortunately, the laptop was returned and acomprehensive forensic analysis revealed the laptop had not beenpowered on since it went missing.

This year, Snapchat, Premier Healthcare and every other businessbig, medium or small, must invest in cybersecurity protection. Theyhave to prepare their employees for the worst.

Here are three cybersecurity resolutions that offices need tomake going forward:

(Photo: Shutterstock)

1. Train employees with gamification.

In addition to sending around a list of dos and don'ts on how toprevent cyberattacks to employees, companies could get morecreative when it comes to training their staff.Businesses should consider using gamification for trainingexercises to present real-life scenarios to employees.

One way to do this is by having “pretend” hackers try to obtainproprietary information from employees. If an office doesn'tproperly react, it could provide as a great lesson for everyone. Ifthey react correctly they could win a prize. Every employee poses arisk, so training each individual is a critical element ofcybersecurity.

Related: Insurers starving for 'triple threat' cybersecuritytalent

(Photo: Shutterstock)

2. Testing your response time.

Hackers are always going to be one step ahead due to theever-changing cybersecurity landscape. In preparation, companiesmust have a cyber response plan in place and need to be ready torespond to multiple scenarios.

Employees need to understand how to identify risks and theappropriate individuals or departments where they should reportfindings. In addition, every employee should be taught bestpractices, like how to create stronger passwords or how to spotsuspicious emails, so that they can use good judgement when online.If you suspect something, report it.

Related: What's your data breach responseplan?

(Photo: Shutterstock)

3. Protect your crown jewels.

The most important thing that business can do is identify their“crown jewels,” which are their data assets that are most criticalto their organization and customers. Once the crown jewels havebeen identified, a company's security team can establish targetedcybersecurity controls to insure this data is secure andrecoverable.

While doing this, companies should make sure to conduct apenetration test to find out if their most important assets arevulnerable to hackers. This approach will save time and money. It'snot practical or cost effective to put the same level of protectionon all data, so target the data that's most important to thebusiness.

Related: Data breaches in 2017: No relief insight

Christopher Roach is theNational IT practice leader and a managing director in the Risk& Advisory Services practice for Cleveland,Ohio-based CBIZ, Inc. Roach can be reached at [email protected].