Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Alarming Percentage of Employees Hide Security Incidents: Report

Policy and Engagement Are Key to Addressing Insider Threats

Policy and Engagement Are Key to Addressing Insider Threats

The human factor, also often known as the insider threat, has long been known but rarely quantified. Kaspersky Lab has attempted to do just that — to answer the question, ‘What role do employees play in a business’s fight against cybercrime?’

Kaspersky used the B2B International market research company to query 5,000 businesses around the globe; and the results are alarming. “Fifty-two percent of businesses admit that employees are their biggest weakness in IT security, with their careless actions putting business IT security strategy at risk,” explains the Kaspersky report.

The extent of the issue is illustrated by the top three vulnerability concerns all being related to the human factor or employee behavior: inappropriate sharing (47%); data on lost mobile devices (46%); and inappropriate use of IT resources (44%). The supply chain, increasingly used by advanced hackers as an entry point, figures fourth at 43%.

This concern is verified by actual cybersecurity incidents. “Among the businesses that faced cybersecurity incidents in the past 12 months, one-in-ten (11%) [of] the most serious types of incidents involved careless employees,” states the report. This is second only to incidents involving malware, standing at 23%. 

Even here, however, the human factor is important. Forty-nine percent of businesses reported being attacked by malware this year (an increase of 11% over last year). The top contributing factors behind the reported incidents are all human factors: careless/uninformed employees (53%); accidental loss of hardware (38%); and phishing/social engineering (36%).

The more dangerous targeted attacks are also increasing, with 27% of businesses reporting incidents (up 6% on the previous year). “Of these attacked businesses, over a quarter (28%) believe phishing/ social engineering contributed to the attack,” notes the report. 

Here Kaspersky makes an additional point: it isn’t enough to simply increase social engineering and phishing awareness, it is also important to create an environment in which employees are willing to own up to errors. Kaspersky calls this the ‘hide and seek’ problem: employees sometimes hide their mistake leaving the business to seek the source of the problem.

“Employees,” the report explains, “don’t always take action when their company is hit by a security incident. In fact, in 40% of businesses around the world, employees hide an incident when it happens.” This tendency varies by size of company: as low as 29% of very small businesses; at 42% of SMBs; and as high as 45% of enterprises with more than 1,000 employees.

Kaspersky warns against a big stick approach to this problem. “If employees are hiding incidents, there must be a reason why. In some cases, companies introduce strict, but unclear rules and impose extra responsibility on employees, warning them not to do this or that, or they will be held responsible if something goes wrong. Such policies only foster fears, and leave employees with just one option — to avoid punishment whatever it takes.”

BYOD is another area where the human factor continues to cause concern. “Almost half (48%) of businesses overall,” says Kaspersky, “are worried about employees inappropriately sharing company data via the mobile devices that they bring to work.” This is a particular concern for small businesses, where it rises to 57%. The concern is justified in practice: according to the research, more than half (54%) of businesses have had data exposed because employees have lost devices.

Kaspersky warns that policy alone is not enough to defend against the human factor. “A policy, alone, will not protect a business from threats — partly because IT security policies are not always followed by the staff that they are designed for, and partly because they cannot cover every possible risk.” In fact, 44% of respondents admitted that employees simply do not properly follow policy.

Kaspersky’s solution is to find the right balance of policy and engagement: policy to define correct behavior; and engagement to make employees want to follow policy. “Staff training is essential in raising awareness among personnel and motivating them to pay attention to cyberthreats and countermeasures — even if they are not part of their specific job responsibilities. Installing updates, ensuring that anti-malware protection is on, and managing personal passwords properly shouldn’t always be at the bottom of an employee’s to-do list.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.