When most people think of a hacking event that results in the loss of highly sensitive government information, they probably envision foreign spies or figures like Edward Snowden. People who not only have an agenda to fulfill but also the means and the know-how to infiltrate what has to be the most secure network in the world.

Instead, the reality is that a shocking number of data breaches are caused by user error on the part of government employees, people who are all too often wholly untrained about the dangers associated with certain internet behaviors. These behaviors have led to a reported increase in cyber “incidents,” of which there were more than 200,000 last year alone, according to the Associated Press.

But with government officials placing cybersecurity as the number one threat to our country—even higher than terrorism—and a reported $10 billion a year of government funding spent on cybersecurity, why are we still subject to this kind of vulnerability?

Unlike the laws being put in place around the country requiring private businesses, from tiny startups to major corporations, to inform consumers if their personally identifiable information has been accessed through a data breach, the government isn’t required to inform the public if they’re the victims of a breach. Cyber security failures have fallen to news outlets to report. Those organizations uncovered a shocking amount of employee failure, most of which stemmed from falling for phishing emails, clicking on fake links which downloaded malicious software to a government computer, losing crucial pieces of technology like laptop computers with highly sensitive information stored on them, and more. Overall, the AP has uncovered that at least half of all government cyber incidents are the fault of an employee error.

Of course, it’s not only employees and contractors who are to blame for their online missteps. The other side of the coin is that the government’s data comes under constant threat from hackers, both from intentional foreign spies and from individuals who just want to see if they can accomplish the seemingly impossible by breaking in to this secure data. Unfortunately, as news outlets like The Washington Post have reported, it’s all too easy to access a government computer or server when employees are not trained on safe online security practices.

What is vitally important is better training and awareness of security threats, and the need to report these incidents to the public as they occur. When the White House’s own report states that 21% of the cyber incidents last year were due to employees violating workplace computer policies, and another 16% were due to employees losing a physical piece of technology, better instructional practices, constant threat management training, and penalties for outright violations might make our information more secure.