Organizational personnel cause almost half of worldwide IT security incidents in businesses each year, and 40% of employees involved hide their IT security episodes for fear of employer punishment or blame.
These are some of the revelations from a new report, “Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within,” from Kaspersky Lab and B2B International. It is based on a survey of over 5,000 businesses across the globe.
According to the report, this “hiding” behavior is the biggest challenge for larger-sized businesses, with 45% of enterprises (over 1,000 employees) experiencing employees hiding cybersecurity incidents, 42% of SMBs (50 to 999 employees), and 29% of VSBs (under 49 employees).
Not only are employees hiding incidents, but the survey also found uninformed or careless employees are one of the most likely causes of a cybersecurity incident, only second to malware. While malware is becoming more and more sophisticated each day, the surprising reality is employee behavior causes 46% of IT security incidents each year.
Staff hiding incidents could lead to dramatic consequences for businesses, increasing the overall damage. Security teams must act quickly to identify threats in order to choose the right mitigation tactics.
“The problem of hiding incidents should be communicated not only to employees, but also to top management and HR departments,” Slava Borilin, security education program manager at Kaspersky Lab, said. “If employees are hiding incidents, there must be a reason why.”
In some cases, Borilin added, companies introduce strict, but unclear policies and put too much pressure on staff, warning them not to do this or that, and holding them responsible if something goes wrong. “Such policies foster fears, and leave employees with only one option — to avoid punishment whatever it takes. If your cybersecurity culture is positive, based on an educational approach instead of a restrictive one, from the top down, the results will be obvious.”
For example, a credit union without proper cybersecurity defenses and or staff training is not only easy, low-hanging fruit for fraudsters, but could find itself considerably harmed. A breach could result in significant damage and cost to a credit union, including but not limited to a loss of members, funds, reputation and deposits, as well as a forensics investigation and increased NCUA oversight and audit costs.
According to the survey, the top three cybersecurity fears for businesses are all related to human factors and employee behavior:
- Employees sharing inappropriate data via mobile devices (47%).
- The physical loss of mobile devices exposing their company to risk (46%).
- The use of inappropriate IT resources by employees (44%).
The report suggested while advanced hackers might always use custom-made malware and high-tech techniques to plan a heist, they will likely start with exploiting the easiest entry point: human nature. According to the research, 28% of targeted business attacks on businesses in the last year had a phishing/social engineering source. The research also shows that even with malware, unaware and careless employees are also often involved, causing malware infections in more than half (53%) of global security incidents.
“Cybercriminals often use employees as an entry point to get inside the corporate infrastructure. Phishing emails, weak passwords, fake calls from tech support – we’ve seen it all,” David Jacoby, security researcher at Kaspersky Lab, held. “Even an ordinary flash card dropped in the office parking lot or near the secretary’s desk could compromise the entire network.” All a business needs is someone inside – who doesn’t know about, or pay attention to security – and that device could easily connect to the network where it could reap havoc.
The report recommended to withstand today’s sophisticated cyberthreats, a company must function as a healthy organism, with various teams having different responsibilities and tasks. “Naturally, that means teams need to learn about different things. Corporate management must be aware of risks and thoroughly understand their potential financial and reputational costs. Middle management and information security teams require a clear understanding of looming threats and the ability to take actions that increase cyberresilience, and they also need to be able to communicate appropriately with most staff.”
