Two new cybersecurity reports were released this week and they brought some surprising news: hackers don’t have to be great at what they do… employees do the hard work of infiltrating a network for them.

The reports–conducted separately by Verizon Communications and Symantec–showed that the biggest threat to business networks isn’t teams of black hat hackers or hostile foreign governments, but employees–from the hourly wage lackeys up through corporate CEOs–who click on malicious links, fall for phishing scams, or simply don’t protect the network with the company’s own mandated protocols.

cybersecurity

The Verizon report demonstrated the top way that hackers get access to a network, which is by sending out phishing emails–which nine employees out of ten have fallen for, according to their research–which in turn installs malicious software on the network. Once the software is in place and the hacker gains access to the employee’s credentials, the rest is easy. He can roam around inside the network and exploit any file he wishes, or can even write his own software to prevent the system’s anti-intrusives from finding him.

Symantec’s report had even more daunting news: phishing attempts are so successful that even government spies are relying on that form of attack. Why hire highly-skilled, sophisticated hackers when all it takes is a bogus video link with the promise of a cat playing the keyboard to get clueless workers to open the door for you?

Still one of the easiest ways to violate a network or device, whether it’s from a Fortune 500 company or your grandmother’s smartphone, lies in the fact that users don’t like to install updates. This ignorance of the importance of updating lets hackers exploit known vulnerabilities, like last year’s Heartbleed bug, unless a patch is installed. Instead, consumers and workers alike continue to ignore those pesky little pop-ups and leave their systems open to attack.