Employees at 40% of businesses across the globe hide IT security incidents in order to avoid punishment, according to a study conducted by Kaspersky Lab, and the dishonesty is most challenging for larger-sized businesses. 45% of enterprises (over 1,000 employees) experience employees hiding cyber security incidents, with 42% of SMBs (50 to 999 employees), and only 29% of VSBs (under 49 employees).
The report - Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within - revealed that not only are employees hiding incidents, but also that the uninformed or careless employees are one of the most likely causes of a cyber security incident - second only to malware. While malware is becoming more and more sophisticated each day, the surprising reality is that the evergreen human factor can pose an even greater danger. 46% of IT security incidents are caused by employees each year - that’s nearly half of the business security issues faced triggered by employee behaviour.
Staff hiding the incidents that they have encountered may lead to dramatic consequences for businesses, increasing the overall damage caused. Even one unreported event could indicate a much larger breach, and security teams need to be able to quickly identify the threats they are up against to choose the right mitigation tactics.
“The problem of hiding incidents should be communicated not only to employees, but also to top management and HR departments,” said Slava Borilin, security education program manager at Kaspersky Lab. “If employees are hiding incidents, there must be a reason why. In some cases, companies introduce strict, but unclear policies and put too much pressure on staff, warning them not to do this or that, or they will be held responsible if something goes wrong. Such policies foster fears, and leave employees with only one option - to avoid punishment whatever it takes. If your cyber security culture is positive, based on an educational approach instead of a restrictive one, from the top down, the results will be obvious.”
Borilin also recalls an industrial security model, where a reporting and ‘learn by mistake’ approach are at the heart of the business. For instance, in his recent statement, Tesla’s Elon Musk requested every incident affecting worker safety to be reported directly to him, so that he can play a central role in change.
The fear businesses have of being put at risk from within is clear in the results of the survey, with the top three cyber security fears all related to human factors and employee behaviour. Businesses worry the most about employees sharing inappropriate data via mobile devices (47%), the physical loss of mobile devices exposing their company to risk (46%) and the use of inappropriate IT resources by employees (44%).
While advanced hackers might always use custom-made malware and high-tech techniques to plan a heist, they will likely start with exploiting the easiest entry point - human nature. According to the research, every third (28%) targeted attack on businesses in the last year had phishing/social engineering at its source. Sophisticated targeted attacks do not happen to organizations every day - but conventional malware does strike at mass. Unfortunately though, the research also shows that even where malware is concerned, unaware and careless employees are also often involved, causing malware infections in more than half (53%) of incidents that occurred globally.#
The human element of cyber security was the key focus of Business Continuity Awareness Week 2017, organized by the Business Continuity Institute, with the report published by the BCI identifying the simple steps that everyone can take in order to play a part in improving cyber security.
“Cyber criminals often use employees as an entry point to get inside the corporate infrastructure. Phishing emails, weak passwords, fake calls from tech support - we’ve seen it all,” said David Jacoby, security researcher at Kaspersky Lab. “Even an ordinary flash card dropped in the office parking lot or near the secretary’s desk could compromise the entire network - all you need is someone inside, who doesn’t know about, or pay attention to security, and that device could easily be connected to the network where it could reap havoc.”