Time and time again it has been found that the greatest vulnerabilities in enterprise security rests in the hands of business’ employees. In fact, one recent study in the U.K. found that 75% of large organizations suffered staff-related security breaches in 2015, with 50% of the worst breaches caused by human error. So as employees stand as the first line of defense against security breach, their habits may simultaneously act as the greatest threat to enterprise security.

How Are Employees Endangering Business Security?

There are several ways that employees endanger business security, whether there is malicious intent or not. Some risky behaviors include sharing files over the cloud, accidentally downloading malicious apps, clicking on phishing links, reusing passwords, participating in online games, or simply just listening to music. It is important to remember that cybercriminals will find any gateway to access sensitive information.

One study that that looked at employee habits found that 63% of employees use their work device for personal reasons such as online banking, social media, and shopping. This same study also found that 94% of employees connect their laptops or mobile devices to public WiFi networks and 69% handle work-related data on these networks. Additionally, businesses tend to overlook the danger in employees’ personal mobile devices.

A different study that polled 588 security professionals at Global 2,000 companies reported that 3% of employee mobile devices are infected with malware, translating into an average of more than 1,700 infected devices in the workplace that are connected to the company’s network.

What Needs to Be Done?

Security pros at We Live Security suggest that enterprise security stems from a cybersecurity program detailing how your business approaches outsider and insider threats. To help build a strong foundation, they suggest the following framework for better security online.

Boost employee awareness: It is no longer enough for people to be cyber-aware—an entire workforce needs to understand how easy it is to make mistakes and where vulnerabilities exist. The absence of knowledge means that there is no reference point to consult if in doubt; as such, issues are likely to materialize. Back up your data: Nothing is foolproof. For instance, while the ransomware Locky is an external threat, it is also an internal one distributed by emails with attachments. A trojan is embedded in the document, and once opened, it executes its payload. Therefore, backups are essential, and preferably stored in an external hard drive so that in the case of breach, you are prepared with a copy. Document what is and isn’t acceptable: Detailing what is and isn’t permissible on paper is vital in establishing boundaries of best practice in the workplace. For example, some organizations may find it acceptable for employees to take home their laptops; others might consider it inappropriate. Additionally, businesses must discuss their response plan in the case of employee transgressions whether it be warnings, fines, etc. Of course, this will vary with any given enterprise, but is nonetheless important in how you view and deal with deliberate or accidental violations.

These three guidelines provide a strong foundation for enterprise security, but businesses must take it upon themselves to continuously build upon this framework. Continuous endpoint monitoring allows security teams to respond quickly to attacks that start with employees and fend off malicious breach, while continued employee education about advancing threats in cybersecurity may change the employee behaviors that may endanger a company’s sensitive information. Employees don’t have to be a vulnerability to enterprise security, and with proper attention, this first line of defense can become harder to breach.