SAN FRANCISCO — As companies ramp up their data breach protection efforts — fueling a surge in related work for communications firms — a new Finn Partners study finds that an organization’s employees are its biggest cybersecurity risk, largely due to the use of personal devices for work.

The study, based on a survey of 500 US employees, found that nearly two in five workers have clicked on a link or opened an attachment from a sender they did not recognize. The risk of doing so is significant, as it can lead to the installation of malware on their devices and the harvesting of sensitive corporate data.

Additionally, 55% of respondents said they use their own devices for work, which makes them more vulnerable to hacks, malware and data breaches. The growth of Apple’s services business across-the-board is a factor, too, as it leads to individuals mixing their personal and professional applications on one device, the study found.

Only 26% regularly change login credentials or passwords — among the simplest antidotes to security threats, the report found.

“One of the major take-aways was that while employees are our greatest asset, they are also our biggest risk,” said Jodi Brooks, the agency’s managing partner and technology practice leader. “With the onset of BYOD (bring your own device), and the prediction that Apple will be a $1 trillion company with services and apps playing a major role in their growth, we know that our own employees play a significant risk to our organizations.”

In turn, nearly 31% of respondents have been the victim of a breach or hack, the study found, showing that the annual cybersecurity education programs companies offer aren’t doing the trick.

Only 25% of employees said they receive “cyber hygiene” training on a monthly basis from their IT team. Cyber hygiene refers to the updating of operating systems on devices, checking for security patches and changing passwords.  Other findings show that 29% receive quarterly training; 19% receive bi-annual training; and 23% receive annual training.

“We need to learn from them and practice smart cyber hygiene – as individuals, and as agencies,” Brooks said. “The news cycle won’t pause while you try to get back online.”