Employees hide IT security incidents in 40% of businesses around the world – that’s according to a new report from Kaspersky Lab and B2B International, “Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within”.
With 46% of IT security incidents caused by employees each year, this business vulnerability must be addressed on many levels, not just through the IT security department.
Uninformed or careless employees are one of the most likely causes of a cybersecurity incident — second only to malware. While malware is becoming more and more sophisticated, the sad reality is that the evergreen human factor can pose an even greater danger.
In particular, employee carelessness is one of the biggest chinks in corporate cybersecurity armor when it comes to targeted attacks. While advanced hackers might always use custom-made malware and hi-tech techniques to plan a heist, they will likely start with exploiting the easiest entry point – human nature.
According to the research, every third (28%) targeted attack on businesses in the last year had phishing/social engineering at its source. For example, a careless accountant could easily open a malicious file disguised as an invoice from one of a company’s numerous contractors. This could shut down the entire organization’s infrastructure, making the accountant an unwitting accomplice to attackers.
Staff hiding the incidents they have been involved in may lead to dramatic consequences, increasing the overall damage caused. Even one unreported event could indicate a much larger breach, and security teams need to be able to quickly identify the threats they are up against to choose the right mitigation tactics.
But staff would rather put organizations at risk than report a problem because they fear punishment, or are embarrassed that they are responsible for something going wrong. Some companies have introduced strict rules and impose extra responsibility on employees, instead of encouraging them to simply be vigilant and cooperative. This means that cyberprotection not only lies in the realm of technology, but also in an organization’s culture and training. That’s where top management and HR need to get involved.
According to Kaspersky Lab, the best way of protecting organizations from human-related cyberthreats is to combine the right tools with the right practices. This should involve HR and management efforts, to motivate and encourage employees to be watchful and seek help in the case of an incident. Security awareness training for staff, delivering clear guidelines instead of multipage documents, building strong skills and motivation and fostering the right working atmosphere, are the first steps organizations should take.
In terms of security technologies, most of the threats aimed at targeting unaware or careless employees – including phishing – can be addressed with endpoint security solutions. These can cover the particular needs of SMB and enterprise companies in terms of functionality, pre-configured protection or advanced security settings, to minimize risks.