The Most Common Human Errors that Impact Data Security

Humans make mistakes. Unintentional human errors cost the accounting industry billions of dollars every year.

According to a study by IBM, 95% of data breaches involve human error. There are five common human-centered errors employees, managers, and even owners make every day. While the majority of these mistakes are negligent, it’s important to remember that they are often accidental. 

Other factors contribute to human errors within accounting firms that impact data security, including lack of training, inadequate knowledge, or absentmindedly overlooking vital details. Let’s look at some specific examples.

5 Common Human Errors (and How to Avoid Them)  

Employee mistakes that lead to data breaches should not be taken lightly. Human factors contributing to vulnerable information security include:

  • Skill-based human errors: These errors occur when the staff performs familiar, repetitive tasks and generally involve negligence, not malice. They often happen when staff is distracted, not paying attention, tired, or inexperienced.   
  • Decision-based human errors: These errors occur when the staff makes a flawed decision. Often, the employee doesn’t have the necessary information or allows inaction to be their decision. These can be negligent and malicious or simply a lack of adequate supervision. 

The costs of human errors range from investing in improved training processes to facing class-action lawsuits from data breaches that adversely impact clients. If accounting firm managers and owners know the most common human errors, they can implement systems to avoid them.

Let’s take a moment to review the most common human errors and how firms can avoid them:

1. Weak Passwords

Security experts and IT strategists expect data breaches to cost $10.5 trillion annually on a global scale by 2025. Many of these data breaches will result from human-centered vulnerabilities like weak passwords.

Even strong passwords are vulnerable. Storing passwords on unsecured documents or devices makes even the most character-diverse passwords worthless.


Accounting firms should use password management software. Password management programs enable users to store usernames and passwords securely. They are affordable and easy to use. The two highly secure and most well-known password management software programs are:

Practice Protect’s Access hub is the perfect cybersecurity tool specifically tailored for accounting data security and account management. Both programs offer password encryption that is unmatched by their competitors. They set password strength rules and whitelist the IP addresses of the firm and its associates and lock passwords using IP restrictions. Geo-locking – those outside the geographical area cannot access passwords – is another feature of these programs. 

Remember, staff should never store passwords on devices, Google Sheets, or Excel. Store passwords only in the password management software. Also, along with enforcing strong password policies, ensure that users turn off the “save password” feature on work devices (it’s good advice for personal devices as well).

2. Using Outdated Software     

Outdated software often lacks the latest security features. In a world where cybercrime occurs every 39 seconds, accounting firms require the most updated version of their programs, including every element of the firm’s tech stack.  


Update all software and schedule regular checks to ensure your firm uses the most up-to-date version of these programs. Ensure staff takes the latest security measures to protect the firm’s data and that of the clients.

Do not ignore update requests from software manufacturers. Developers constantly find improved methods for managing and securing data based on cyberattack metrics, and firms must ensure they have access to these upgrades.

3. Careless Handling of Personal Data   

Human-centered vulnerabilities often include accessing data files they are not authorized to access or sending information to the wrong person. The most common form is forgetting to use the BCC function in emails.

Other examples include:

  • Not locking the computer before walking away
  • Neglecting to redact confidential information
  • Publishing private data on public networks
  • Disclosing information to third-party inquiries


Managers must have conversations with employees about the dangers of the misdelivery of information. Encourage them to take time to double-check their work, emails, and document files before submitting. Create checklists if necessary to confirm that staff follows each safety measure.

4. Granting Unauthorized Access

Unauthorized access places everyone at risk. That includes granting access to company devices or data sets. Not only is the firm’s data compromised, but the person who gained access may also cause unintended consequences that adversely impact the firm or its clients. It also places them at risk of being unjustly implicated in wrongdoings.


Assign access on a case-by-case basis. Never offer blanket access to any employee and create a checks and balances system for confidential data to ensure that no single party has unnecessary access to all the data. Give accounts the least amount of access to accomplish tasks.

5. Little to No Awareness of Social Engineering  

Not all internal data threats are from malicious characters. Sometimes, a lack of awareness of social engineering – when hackers manipulate individuals using deception to get that person to divulge confidential information – poses data threats.

The most common mistake in this area is employees opening phishing emails or downloading ransomware attachments. 


Cybersecurity is essential to any accounting firm’s data security plan and should be a requirement within the training program. Ensure staff know of the most common cyberattacks and how to avoid them, including:

  • Malware (i.e., ransomware, Trojan horses, Spyware programs)
  • Phishing scams
  • Distributed Denial-of-Service (DDoS)
  • Cross-Site Scripting (XSS)
  • Structured Query Language (SQL) injection attacks

Mitigate Human-Centered Vulnerabilities with the Right Tech Stack

To ensure data security, continue to update security policies, such as stringent password requirements and backup processes, to name a few. Firms must also continuously monitor employee activity and only grant access to those that need it.

Some human errors are unavoidable. Catching these errors before they create data security risks takes help from experts who can integrate a firm’s entire tech stack. Tech Guru has the IT specialists accounting firms and CPAs need to build a robust IT infrastructure.

How does your accounting firm manage human errors, and what processes eliminate these risks? If you aren’t sure, take the Tech Guru Security Self-Assessment and see what you can do to improve data security at your firm.