Kaspersky Lab: Business employees hide IT security incidents at a rate of 40% worldwide - this was a result of its new research Kaspersky Lab and B2B International, "The human factor in the security of information systems: How employees make businesses more vulnerable than their interior."
With 46% of IT security incidents being due to employees every year, this business vulnerability needs to be addressed at all levels, not just through the IT security department.
Kaspersky Lab Leading hackers to your door
Unrecognized or indifferent employees are one of the main reasons for security of information systems - a second reason in the list behind traditional malware. While malware is constantly evolving, the sad reality is that the "evergreen" human factor can be even more dangerous.
In particular, employee carelessness is one of the biggest blows to corporate shielding against digital threats when it comes to targeted attacks. While advanced hackers can always use specially designed malware and high-tech techniques to plot a robbery, they are likely to start exploiting the easiest point of entry - human nature.
Σύμφωνα με την έρευνα, μία στις τρεις (28%) στοχευμένες επιθέσεις εναντίον επιχειρήσεων τον περασμένο χρόνο διέθετε στην πηγή της τεχνικές phishing/κοινωνικής μηχανικής. Για παράδειγμα, ένας απρόσεκτος λογιστής θα μπορούσε εύκολα να ανοίξει ένα κακόβουλο αρχείο που θα έμοιαζε με τιμολόγιο από έναν από τους πολυάριθμους εργολάβους μιας εταιρείας. Αυτό θα μπορούσε να θέσει except λειτουργίας ολόκληρη την υποδομή του οργανισμού, καθιστώντας εν αγνοία του τον λογιστή συνεργό των επιτιθέμενων.
“Digital criminals often use employees as an entry point into corporate infrastructure. Phishing emails, weak passwords, bogus phone calls from tech support departments – we've seen it all. Even a simple flash card that might have been dropped in the office parking lot or next to the secretary's desk can compromise the entire network – all it takes is someone inside the company who doesn't know or doesn't give caution in security and this device can easily connect to the network causing disastrous consequences," commented David Jacoby, Kaspersky Lab Security Researcher.
Sophisticated targeted attacks do not happen daily in organizations - but conventional malware hits businesses massively. Unfortunately, research also shows that when it comes to malware, uninformed and careless employees also play an important role in causing malware infections in the 53% of cases.
Kaspersky Lab Crypt: why the Human Resources department and top executives should be involved
With staff hiding the incidents they have been involved in, the impact may be very poor and this increases the overall harm that may have been caused. Even a single incident that has not been reported may indicate an even greater violation, and security teams need to quickly recognize the threats they have to them to choose the appropriate mitigation tactics.
Staff would rather put organizations at risk than report a problem because they fear punishment or are ashamed of being responsible for something that went wrong. Some companies have introduced strict rules and imposed more responsibility on employees, rather than encouraging them to simply be alert and cooperative. This means that the protection in cyberspace is not only in the "realm" of technology, but also in the culture and training of the organization. This is where HR and senior management need to get involved.
"The problem of concealment of incidents should be communicated, not only to the employees but also to the top executives and the Human Resources department. If employees are hiding incidents, there must be a reason. In some cases, companies introduce strict but vague policies and put a lot of pressure on staff, warning employees not to do "this or that" because they will be held accountable if something goes wrong. Such policies encourage fears and leave workers with only one choice - to avoid punishment at all costs. "If your culture of digital security is positive, based on an educational approach instead of a restrictive one, from top to bottom, the results will be obvious," said Slava Borilin, Security Education Program Manager at Kaspersky Lab.
Borilin also recalls an industrial safety model where a reporting and "learning by mistake" approach is at the heart of businesss. For example, in his recent statement, Tesla's Elon Musk asked to be immediately informed of any employee safety incident so that he could play a central role in change.
Kaspersky Lab The human factor: the corporate climate and even further
Organizations around the world have already become aware of the problem of their staff that makes their businesses vulnerable: 52% of respondents admit that staff are the greatest weakness in IT security. The need for staff-centered measures is becoming increasingly apparent: 35% of businesses are trying to improve security through staff training, making it the second most popular method of cyber-protection, following the ranking of developing more sophisticated software (43%).
The best way to protect organizations from digital threats related to human factors is to combine the right tools with the right practices. This should include the efforts of Human Resources and senior executives to encourage employees to be cautious and to seek help in the event of an incident. Training to raise awareness of security staff, providing clear guidelines instead of multi-page documents, creating strong skills and incentives, and promoting an appropriate work environment are the first steps that organizations need to follow.
When it comes to security technologies, most of the threats target uninformed or careless employees - including Phishing – can be addressed with security solutions for terminals points. These can meet the particular needs of small, medium and large enterprises in terms of functionality, default protection or advanced security settings to minimize risks.
Here you can find the complete exhibition.
