Why tech firms are vulnerable to cyber-crime

The words ‘cyber-attack’ often conjures up images of dark rooms filled with people plotting ways to infiltrate IT systems. Yet, while this may depict the root causes of many attacks, the reality is that successful breaches often depend on the involvement – unwitting or otherwise – of employees.

Research by IT security firm Mimecast¹ suggests 95% of all data breaches are caused by human error. While security awareness training is helping employees to spot potential attacks in most organisations, two-thirds of IT security professionals (66%) believe data loss due to employee actions will continue to increase in the year ahead.

Technology firms are particularly vulnerable to such threats. This is due to a combination of their attractiveness to attackers and the nature of people who work for them.

“Tech companies by their nature produce, use and store large amounts of such data, and are often core actors in wider data and supply chains,” says Efpraxia Zamani, Associate Professor of Information Systems at Durham University Business School. “This includes cloud computing provision whereby, by attacking the cloud provider, attackers can gain access to several businesses.”

The open environment in which tech firms thrive is a double-edged sword, says Dr Sameer Mehta, Assistant Professor, Technology and Operations Management, at the Rotterdam School of Management Erasmus University. “On one hand, open cultures help firms to innovate rapidly,” he says. “The ‘move fast and break things’ motto popularised by Mark Zuckerberg is quite widespread across the tech industry.

“On the other hand, the same culture creates blind spots around security. Examples include remote work flexibility, open-door policies for data sharing, less rigid access controls and the informal adoption of new tools.”

Acting on instinct

Then there is the inherent nature of many professionals who want to work in such firms. “Tech employees, in particular, are more likely to experiment with new solutions, such as signing up for unknown beta tools or integrating the latest ‘cool’ app into their workflow,” says Dr Mehta.

“Sometimes the curiosity that drives innovation also encourages them to bypass standard security processes. Common mistakes include temporarily disabling antivirus software to run an unverified script or turning off multi-factor authentication for a quick fix.”

Tech companies will typically contain various roles, says Zamani. These include developers, quality assurance testers, product owners, and developer managers. “Based on my experience, developers themselves, and people who work with or on the code directly, are quite cautious in using a new technology that may not have been tested sufficiently,” she states.

“Often, the issue lies with roles that manage developers, or which are placed some degrees away from the development work. They may wish to impose the use of a new and somewhat untested technology to entice clients, by offering the most ‘innovative’ solution.”

Online resources such as StackOverflow and GitHub, which many software developers and code testers use to access advice and support, can also introduce vulnerabilities, points out Phil Legg, Professor of Cyber Security at the University of the West of England and Co-Director of the UWEcyber Academic Centre of Excellence in Cyber Security Education.

“Some online coding advice may be factually wrong or potentially misguided, however, through the process of debugging software, developers will typically overcome their challenges,” he says.

Now, though, the use of artificial intelligence (AI) is adding a new threat. “AI is playing a greater role as a ‘pair programmer’ – for example, GitHub Copilot and Cursor – where AI can generate and suggest code sections for developers,” he says. “Just as with community discussion forums, there is a need to validate and test that the suggested code is functional and secure, and not just blindly trust that the AI suggestion will be correct.”

Regain control

There are various ways in which tech firms can reduce the risk they face. Most will already make use of data encryption, regular security updates to patch any vulnerabilities, and multifactor authentication. There’s also the option to prohibit the use of personal devices or portable storage devices, says Zamani.

“There should be also clear permission rights and access control protocols, so that the people who need to have access to particular modules and areas of a system have greater security, and those whose role does not necessitate them having such access are clearly excluded,” she says. “Very often breaches happen because of wrong permissions.”

But the employee threat also needs to be dealt with head-on. “What is crucial is regular refresher training in terms of data protection, particularly because new and innovative technologies such as AI place a greater burden on data, and data itself is a very high-value target,” she warns.

Dr Mehta urges tech firms to conduct frequent, realistic simulations to train employees. “This should include tailored training for tech roles, such as system admins or DevOps engineers,” he says. “It’s also important to set clear policies for reporting suspicious behaviour and to educate employees on their role in the event of a breach to ensure a swift response. A lot of secondary damage such as loss of reputation or goodwill can be prevented if employees have a co-ordinated response.”

There are other steps that are often overlooked before bringing people into organisations. “Tech companies should conduct thorough background checks, verify references and confirm credentials,” he says. “This doesn’t just apply to employees of the firm. Vendors, partners and contractors – anyone who touches the firm’s network – can introduce risks. They should be vetted as well. Finally, when an employee leaves, their privileges should be revoked immediately.”

¹ The State of Human Risk 2025