Employee violations of an organization’s information security policies are as dangerous as external hacker attacks according to a recent study from Kaspersky. In the last two years, 26% of cyber incidents in businesses occurred due to employees intentionally violating security protocol. This figure is almost equal to the damage caused by cybersecurity breaches, 30% of which occurred because of hacking.
There is a well-established perception that human error is one of the main causes of cyber incidents in business. But things are not as black and white. The state of an organization’s cybersecurity is more complicated than that and more factors come into the equation.
With this in mind, Kaspersky conducted a study 1 to find out the opinions of IT Security professionals working for SMEs and Enterprises worldwide on the impact people have on cybersecurity in a company.
The Kaspersky study revealed that, in addition to genuine errors, information security policy
violations by employees were one of the biggest problems for companies. Respondents from
organizations all over the world claimed that intentional actions to break the cybersecurity
rules were made by both non-IT and IT employees in the last two years. They said policy
violations such as these by IT security officers caused 12% of the cyber incidents in the last two years. Other IT professionals and their non-IT colleagues brought about 11% and 8% of cyber incidents respectively when they breached security protocols.
In terms of individual employee behavior, the most common problem is that employees
deliberately do what is forbidden and, conversely, they fail to perform what’s required.
Respondents in Europe confirmed that the leading reason for cyber incidents in Europe is employees avoiding updating system software or applications when needed (19%). Slightly fewer incidents (17% each) occurred due to access to corporate data from devices that are not allowed, but also intentional malicious behavior for personal benefit, or for the benefit of a third party. Another interesting finding was that intentionally malicious information security policy violations by employees were a relatively big issue in financial services, as 34% of respondents in this sector reported.
Although global data shows that almost a quarter (25%) of cyber incidents in the last two years occurred due to the use of weak passwords or their untimely change, in Europe this reason took only fourth place (16%), as often as visiting unsafe Internet sites. Almost 15% of incidents were caused because employees sent data to personal e-mail addresses, and in 12% of cases, one of the problematic actions was the implementation of IT services "from the shadows" on work devices.
According to our research, in addition to 26% of cyber incidents being caused by information security policies violation, 38% of breaches occur due to human mistakes. As the numbers are alarming, it is necessary to create a cybersecurity culture in an organization from the get-go by developing and enforcing security policies, as well as raising cybersecurity awareness among employees. Thus, the staff will approach the rules more responsibly and clearly understand the possible consequences of their violations.” comments Alexey Vovk, Head of Information Security at Kaspersky.
To keep your company’s infrastructure safe from the consequences of employees’
information security policies violations, Kaspersky recommends:
- Use cybersecurity products with Application, Web and Device control features, such as Kaspersky Endpoint Security for Business and Kaspersky Endpoint Security Cloud. This functionality can limit the use of unsolicited apps, websites, and peripherals, reducing infection risks.
- The Advanced Anomaly Control feature within Kaspersky Endpoint Security for Business Advanced, Kaspersky Total Security for Business and Kaspersky Endpoint Detection and Response Optimum helps prevent potentially dangerous activities that are ‘out of the norm’, both undertaken by the user and initiated by the attacker who has already seized control of the system.
- Control data transfers both ways – in and out of the system, as this also brings risks. With Kaspersky Endpoint Security Cloud, Kaspersky Security for Mail Server and Kaspersky Security for Microsoft Office 365 issues like these can be solved with data discovery and the content filtering function.
- Kaspersky Security for Internet Gateway also possesses content filtering, to prevent unsolicited data transmission regardless of its type, platform protection status, or user behavior at the endpoints inside the network.
For the full report and more insights on the impact of people on corporate cybersecurity, visit the following link.
