According to a new report called ‘Human Factor in IT Security: How Employees are Making Businesses Vulnerable’ by Kaspersky Lab and B2B International, employees hide IT security incidents in 40% of businesses globally and IT security incidents are caused by 46% of employees per year.
The findings show that careless or uninformed employees are most likely to cause a cyber security incident, whilst malware is continuously becoming more sophisticated.
Studies show that a careless accountant could easily open a malicious file disguised as an invoice, as 28% of attacks were targeted on businesses throughout last year through social engineering and phishing.
“Cybercriminals often use employees as an entry point to get inside the corporate infrastructure. Phishing emails, weak passwords, fake calls from tech support — we’ve seen it all. Even an ordinary flash card dropped in the office parking lot or near the secretary’s desk could compromise the entire network — all you need is someone inside, who doesn’t know about, or pay attention to security, and that device could easily be connected to the network where it could reap havoc,” said David Emm, Principal Security Researcher at Kaspersky Lab.
It appears that staff would prefer to put its organisation at risk rather than report the problem, in case of embarrassment or punishment.
‘Careless employees cause 53% of incident’
The research shows that even where malware is concerned, careless employees cause 53% of incidents.
Slava Borilin, Security Education Programme Manager at Kaspersky Lab said: “The problem of hiding incidents should be communicated not only to employees, but also to top management and HR departments.”
Adding: “If employees are hiding incidents, there must be a reason why. In some cases, companies introduce strict, but unclear policies and put too much pressure on staff, warning them not to do this or that, or they will be held responsible if something goes wrong. Such policies foster fears, and leave employees with only one option — to avoid punishment whatever it takes. If your cyber security culture is positive, based on an educational approach instead of a restrictive one, from the top down, the results will be obvious.”
35% of businesses are hoping to improve security through delivering training to staff, and 43% want to deploy more sophisticated software.
Written from press release by Leah Alger