July 10, 2017 by Canadian Underwriter
Forty per cent of employees around the globe hide IT security incidents to avoid punishment, according to a new report from cybersecurity company Kaspersky Lab and market research company B2B International.
The report, titled Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within and released on Monday, also found that dishonesty is most challenging for larger sized businesses. Forty-five per cent of enterprises over 1,000 employees experience employees hiding cybersecurity incidents, with 42% of small- and medium-sized businesses (SMBs) and only 29% of very small businesses (under 49 employees).
The study involved 5,274 respondents around the globe.
Not only are employees hiding incidents, Kaspersky said in a press release, “uniformed or careless employees” are one of the most likely causes of a cybersecurity incident – only second to malware. While malware is becoming more and more sophisticated each day, the surprising reality is that the “evergreen” human factor can pose an even greater danger, the release said. Forty-six per cent of IT security incidents are caused by employees each year – nearly half of the business security issues faced triggered by employee behaviour.
Staff hiding the incidents that they have encountered may lead to dramatic consequences for businesses, increasing the overall damage caused, Kaspersky noted. Even one unreported event could indicate a much larger breach, and security teams need to be able to quickly identify the threats they are up against to choose the right mitigation tactics.
“The problem of hiding incidents should be communicated not only to employees, but also to top management and HR departments,” said Slava Borilin, security education program manager at Kaspersky Lab, in the release. “If employees are hiding incidents, there must be a reason why. In some cases, companies introduce strict, but unclear policies and put too much pressure on staff, warning them not to do this or that, or they will be held responsible if something goes wrong. Such policies foster fears, and leave employees with only one option — to avoid punishment whatever it takes. If your cybersecurity culture is positive, based on an educational approach instead of a restrictive one, from the top down, the results will be obvious.”
The fear businesses have of being put at risk from within is clear in the results of the survey, with the top three cybersecurity fears all related to human factors and employee behavior. Businesses worry the most about employees sharing inappropriate data via mobile devices (47%), the physical loss of mobile devices exposing their company to risk (46%) and the use of inappropriate IT resources by employees (44%).
While advanced hackers might always use custom-made malware and high-tech techniques to plan a heist, they will likely start with exploiting the easiest entry point – human nature, Kaspersky suggested. According to the research, every third (28%) targeted attack on businesses in the last year had phishing/social engineering at its source.
“Sophisticated targeted attacks do not happen to organizations every day – but conventional malware does strike at mass,” the release said. “Unfortunately though, the research also shows that even where malware is concerned, unaware and careless employees are also often involved, causing malware infections in more than half (53%) of incidents that occurred globally.”
“Cybercriminals often use employees as an entry point to get inside the corporate infrastructure. Phishing emails, weak passwords, fake calls from tech support – we’ve seen it all,” said David Jacoby, security researcher at Kaspersky Lab. “Even an ordinary flash card dropped in the office parking lot or near the secretary’s desk could compromise the entire network – all you need is someone inside, who doesn’t know about, or pay attention to security, and that device could easily be connected to the network where it could reap havoc.”