Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Alarming Percentage of Employees Hide Security Incidents: Report

Policy and Engagement Are Key to Addressing Insider Threats

Policy and Engagement Are Key to Addressing Insider Threats

The human factor, also often known as the insider threat, has long been known but rarely quantified. Kaspersky Lab has attempted to do just that — to answer the question, ‘What role do employees play in a business’s fight against cybercrime?’

Kaspersky used the B2B International market research company to query 5,000 businesses around the globe; and the results are alarming. “Fifty-two percent of businesses admit that employees are their biggest weakness in IT security, with their careless actions putting business IT security strategy at risk,” explains the Kaspersky report.

The extent of the issue is illustrated by the top three vulnerability concerns all being related to the human factor or employee behavior: inappropriate sharing (47%); data on lost mobile devices (46%); and inappropriate use of IT resources (44%). The supply chain, increasingly used by advanced hackers as an entry point, figures fourth at 43%.

This concern is verified by actual cybersecurity incidents. “Among the businesses that faced cybersecurity incidents in the past 12 months, one-in-ten (11%) [of] the most serious types of incidents involved careless employees,” states the report. This is second only to incidents involving malware, standing at 23%. 

Even here, however, the human factor is important. Forty-nine percent of businesses reported being attacked by malware this year (an increase of 11% over last year). The top contributing factors behind the reported incidents are all human factors: careless/uninformed employees (53%); accidental loss of hardware (38%); and phishing/social engineering (36%).

The more dangerous targeted attacks are also increasing, with 27% of businesses reporting incidents (up 6% on the previous year). “Of these attacked businesses, over a quarter (28%) believe phishing/ social engineering contributed to the attack,” notes the report. 

Here Kaspersky makes an additional point: it isn’t enough to simply increase social engineering and phishing awareness, it is also important to create an environment in which employees are willing to own up to errors. Kaspersky calls this the ‘hide and seek’ problem: employees sometimes hide their mistake leaving the business to seek the source of the problem.

Advertisement. Scroll to continue reading.

“Employees,” the report explains, “don’t always take action when their company is hit by a security incident. In fact, in 40% of businesses around the world, employees hide an incident when it happens.” This tendency varies by size of company: as low as 29% of very small businesses; at 42% of SMBs; and as high as 45% of enterprises with more than 1,000 employees.

Kaspersky warns against a big stick approach to this problem. “If employees are hiding incidents, there must be a reason why. In some cases, companies introduce strict, but unclear rules and impose extra responsibility on employees, warning them not to do this or that, or they will be held responsible if something goes wrong. Such policies only foster fears, and leave employees with just one option — to avoid punishment whatever it takes.”

BYOD is another area where the human factor continues to cause concern. “Almost half (48%) of businesses overall,” says Kaspersky, “are worried about employees inappropriately sharing company data via the mobile devices that they bring to work.” This is a particular concern for small businesses, where it rises to 57%. The concern is justified in practice: according to the research, more than half (54%) of businesses have had data exposed because employees have lost devices.

Kaspersky warns that policy alone is not enough to defend against the human factor. “A policy, alone, will not protect a business from threats — partly because IT security policies are not always followed by the staff that they are designed for, and partly because they cannot cover every possible risk.” In fact, 44% of respondents admitted that employees simply do not properly follow policy.

Kaspersky’s solution is to find the right balance of policy and engagement: policy to define correct behavior; and engagement to make employees want to follow policy. “Staff training is essential in raising awareness among personnel and motivating them to pay attention to cyberthreats and countermeasures — even if they are not part of their specific job responsibilities. Installing updates, ensuring that anti-malware protection is on, and managing personal passwords properly shouldn’t always be at the bottom of an employee’s to-do list.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.