Social media photo and video site Snapchat has had its share of headline-grabbing, embarrassing security issues over the years, some intentional and some due to its own inability to plan. When a hacker warned and then exposed nearly 5 million users’ accounts because of a bug that left the info vulnerable, that was bad enough. But when 100,000 or so shared videos and photos were accessed and released online (despite the company insisting that it doesn’t store the messages its users send, while forgetting that the cellular providers’ servers do store that information) some experts wondered if that might have been enough to seal Snapchat’s fate as an untrustworthy platform.

snapchat

But the news last week that Snapchat has experienced a whole new data breach only highlights what too many companies refuse to accept: your biggest security threat may very well be someone on your payroll.

In an apology post on February 28, Snapchat admitted that an employee had willingly handed over highly sensitive information on the company’s employees–everything needed to steal their identities–because of a phishing attack. The email appeared to come from the company’s CEO Evan Spiegel, requesting the payroll records of all employees. Unfortunately, at this time of year, that’s not an unheard of request since the tax filing deadline for individuals is next month. The recipient dutifully submitted the information; four hours later, Snapchat was on the phone with the FBI to report the breach.

If Snapchat can take any consolation from this, it’s that human error is behind an increasing number of breaches, especially now that more and more companies are realizing (and believing) the need for tighter antivirus and anti-malware software across their entire networks. This is largely why “boss phishing” is becoming more and more common; as low-level hackers find themselves blocked at every turn, what’s easier than masquerading as the boss and getting an hourly-wage employee to hand over the information they want?

A phishing email was behind one of the most infamous recent data breaches, the Target retail chain breach that affected as many as 121 million customers. The source of the bug that infected the store’s POS credit card system (thereby stealing credit card information) was spread via a link in a malicious email sent to one of Target’s air conditioner repair companies.

Who needs to worry about pesky security protocols and tightened cybersecurity when you can get a secretary to install the bug for you by clicking on a link to a cat video?

Unfortunately, the response in these cases is almost always the same: we’re shocked…we don’t know how this happened…we never thought one of our employees would do this. But that begs the question: Why not? Why don’t more companies realize that their workforce is made up of individuals who may or may not have the necessary training to prevent an attack or the right motivation to keep company data secure? More importantly, why are companies still surprised?