Simon Ritzmann/Getty Images

Hackers are no match for human error. Employee negligence is the main cause of data breaches, according to a state of the industry report by Shred-it, an information security company. The report found that 47 percent of business leaders said human error such as accidental loss of a device or document by an employee had caused a data breach at their organization. Over 1,000 small business owners and C-suite executives in the United States were surveyed online in April for the report. In 2017, data breaches cost companies an average of $3.6 million globally, according to a separate report from the Ponemon Institute. For smaller businesses especially, that price tag could wipe out the entire firm. For a company of any size, a data breach can also cheapen a company's brand and negatively impact their ability to do work, according to Shred-it.

"The study's findings clearly show that seemingly small habits can pose great security risks," said Shred-it vice president Monu Kalsi.

Basic bad habits

Many of the most dangerous offenses by employees are things that they might not even think about as risky behavior. A surprising number of workers surveyed by Shred-it admitted to bad security behavior at work; over 25 percent said that they leave their computer unlocked and unattended. Even taking notes on paper, or leaving papers out on your desk, can have unintended consequences. "When you use paper to document notes or meeting minutes it raises the risk of you leaving that information behind," said Kalsi. A simple mistake can backfire; earlier this year, a Department of Homeland Security employee left sensitive Super Bowl security documents on a plane.

Remote work

Working from Starbucks or even your living room may be nice and convenient, but it could also be opening your company up to a dangerous data breach. Remote work is increasing. Over half of hiring managers agree that remote work is more common and a third think it is the future of work, according to a report on the future of work from Upwork, a freelancing platform. Cybersecurity practices have not yet caught up. A majority of executives agree that the risk of a data breach is higher when an employee works remotely, yet few businesses have comprehensive off-site policies in place for those workers. Over half of small business owners said they have no policy for remote workers. In addition, contractors or external vendors also open up companies to data breaches. The Shred-it survey found that 1 in 4 executives and 1 in 5 small business owners said that an external vendor was the cause of a data breach at their company. This is because many businesses don't do a thorough job of managing access when a relationship with an external vendor ends, according to Kalsi. "There needs to be better governance around these things," he said. More from Personal Finance

These are the ways student loans stop people from buying a house

Student loan nightmare: Some borrowers have to start over

People with massive student debt hope Trump will let them declare bankruptcy

Bridging the training gap

Many companies have training and policies in place to protect data and teach their employees good cyber practices. But those efforts might not be frequent or prevalent enough to truly protect a company. "The general assumption that a lot of companies make that if you train an employee once a year they will retain that information is a false assumption," said Kalsi. Training and awareness should be dynamic and ongoing to foster a company culture of good security practices. In addition, cybersecurity should extend beyond the office and into the home, especially if a company has remote workers or uses external vendors to do business. "This isn't just about commercial or business use anymore," said Michael Tanenbaum, executive vice president and the head of the North America cyber practice at Chubb, a global insurance company. "We're trying to make sure that as these trends continue, we aren't just thinking about the commercial end."

The general assumption that a lot of companies make that if you train an employee once a year they will retain that information is a false assumption Monu Kalsi vice president, Shred-it

What companies can do