Policy and Engagement Are Key to Addressing Insider Threats
The human factor, also often known as the insider threat, has long been known but rarely quantified. Kaspersky Lab has attempted to do just that — to answer the question, ‘What role do employees play in a business’s fight against cybercrime?’
Kaspersky used the B2B International market research company to query 5,000 businesses around the globe; and the results are alarming. “Fifty-two percent of businesses admit that employees are their biggest weakness in IT security, with their careless actions putting business IT security strategy at risk,” explains the Kaspersky report.
The extent of the issue is illustrated by the top three vulnerability concerns all being related to the human factor or employee behavior: inappropriate sharing (47%); data on lost mobile devices (46%); and inappropriate use of IT resources (44%). The supply chain, increasingly used by advanced hackers as an entry point, figures fourth at 43%.
This concern is verified by actual cybersecurity incidents. “Among the businesses that faced cybersecurity incidents in the past 12 months, one-in-ten (11%) [of] the most serious types of incidents involved careless employees,” states the report. This is second only to incidents involving malware, standing at 23%.
Even here, however, the human factor is important. Forty-nine percent of businesses reported being attacked by malware this year (an increase of 11% over last year). The top contributing factors behind the reported incidents are all human factors: careless/uninformed employees (53%); accidental loss of hardware (38%); and phishing/social engineering (36%).
The more dangerous targeted attacks are also increasing, with 27% of businesses reporting incidents (up 6% on the previous year). “Of these attacked businesses, over a quarter (28%) believe phishing/ social engineering contributed to the attack,” notes the report.
Here Kaspersky makes an additional point: it isn’t enough to simply increase social engineering and phishing awareness, it is also important to create an environment in which employees are willing to own up to errors. Kaspersky calls this the ‘hide and seek’ problem: employees sometimes hide their mistake leaving the business to seek the source of the problem.
“Employees,” the report explains, “don’t always take action when their company is hit by a security incident. In fact, in 40% of businesses around the world, employees hide an incident when it happens.” This tendency varies by size of company: as low as 29% of very small businesses; at 42% of SMBs; and as high as 45% of enterprises with more than 1,000 employees.
Kaspersky warns against a big stick approach to this problem. “If employees are hiding incidents, there must be a reason why. In some cases, companies introduce strict, but unclear rules and impose extra responsibility on employees, warning them not to do this or that, or they will be held responsible if something goes wrong. Such policies only foster fears, and leave employees with just one option — to avoid punishment whatever it takes.”
BYOD is another area where the human factor continues to cause concern. “Almost half (48%) of businesses overall,” says Kaspersky, “are worried about employees inappropriately sharing company data via the mobile devices that they bring to work.” This is a particular concern for small businesses, where it rises to 57%. The concern is justified in practice: according to the research, more than half (54%) of businesses have had data exposed because employees have lost devices.
Kaspersky warns that policy alone is not enough to defend against the human factor. “A policy, alone, will not protect a business from threats — partly because IT security policies are not always followed by the staff that they are designed for, and partly because they cannot cover every possible risk.” In fact, 44% of respondents admitted that employees simply do not properly follow policy.
Kaspersky’s solution is to find the right balance of policy and engagement: policy to define correct behavior; and engagement to make employees want to follow policy. “Staff training is essential in raising awareness among personnel and motivating them to pay attention to cyberthreats and countermeasures — even if they are not part of their specific job responsibilities. Installing updates, ensuring that anti-malware protection is on, and managing personal passwords properly shouldn’t always be at the bottom of an employee’s to-do list.”