Employees hide IT security incidents in 40 percent of businesses across the globe to avoid punishment.
The report, Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within, said the dishonesty is most challenging for larger-sized businesses. Forty-five percent of enterprises (over 1,000 employees) experience employees hiding cybersecurity incidents, with 42 percent of SMBs (50 to 999 employees), and only 29 percent of VSBs (under 49 employees).
Not only are employees hiding incidents, but the survey also found that the uninformed or careless employees are one of the most likely causes of a cybersecurity incident — only second to malware. While malware is becoming more and more sophisticated each day, the surprising reality is that the evergreen human factor can pose an even greater danger. Forty-six percent of IT security incidents are caused by employees each year – that’s nearly half of the business security issues faced triggered by employee behavior.
Staff hiding the incidents that they have encountered may lead to dramatic consequences for businesses, increasing the overall damage caused. Even one unreported event could indicate a much larger breach, and security teams need to be able to quickly identify the threats they are up against to choose the right mitigation tactics.
“The problem of hiding incidents should be communicated not only to employees, but also to top management and HR departments,” said Slava Borilin, security education program manager at Kaspersky Lab. “If employees are hiding incidents, there must be a reason why. In some cases, companies introduce strict, but unclear policies and put too much pressure on staff, warning them not to do this or that, or they will be held responsible if something goes wrong. Such policies foster fears, and leave employees with only one option — to avoid punishment whatever it takes. If your cybersecurity culture is positive, based on an educational approach instead of a restrictive one, from the top down, the results will be obvious.”
The fear businesses have of being put at risk from within is clear in the results of the survey, with the top three cybersecurity fears all related to human factors and employee behavior. Businesses worry the most about employees sharing inappropriate data via mobile devices (47%), the physical loss of mobile devices exposing their company to risk (46%) and the use of inappropriate IT resources by employees (44%).
While advanced hackers might always use custom-made malware and high-tech techniques to plan a heist, they will likely start with exploiting the easiest entry point – human nature. According to the research, every third (28%) targeted attack on businesses in the last year had phishing/social engineering at its source. Sophisticated targeted attacks do not happen to organizations every day – but conventional malware does strike at mass. Unfortunately though, the research also shows that even where malware is concerned, unaware and careless employees are also often involved, causing malware infections in more than half (53%) of incidents that occurred globally.
“Cybercriminals often use employees as an entry point to get inside the corporate infrastructure. Phishing emails, weak passwords, fake calls from tech support – we’ve seen it all,” said David Jacoby, security researcher at Kaspersky Lab. “Even an ordinary flash card dropped in the office parking lot or near the secretary’s desk could compromise the entire network — all you need is someone inside, who doesn’t know about, or pay attention to security, and that device could easily be connected to the network where it could reap havoc.”