Kaspersky Lab: Business employees hide IT security incidents at a rate of 40% worldwide - this was a result of its new research Kaspersky Lab and B2B International, "The human factor in the security of information systems: How employees make businesses more vulnerable than their interior."
With 46% of IT security incidents being due to employees every year, this business vulnerability needs to be addressed at all levels, not just through the IT security department.
Kaspersky Lab Leading hackers to your door
Unrecognized or indifferent employees are one of the main reasons for security of information systems - a second reason in the list behind traditional malware. While malware is constantly evolving, the sad reality is that the "evergreen" human factor can be even more dangerous.
In particular, employee carelessness is one of the biggest blows to corporate armor against digital threats when it comes to targeted attacks. While advanced hackers can always use specially designed malware and highly sophisticated techniques technologys to plan a heist, they will likely begin to exploit the easiest entry point – human nature.
According to the research, one in three (28%) targeted attacks against businesses in the past year had at their source techniques Phishing/social engineering. For example, a careless accountant could easily open a malicious file that looked like an invoice from one of a company's many contractors. This could disable the organization's entire infrastructure, making the accountant an unwitting accomplice to the attackers.
"Digital criminals often use employees as a point of entry into corporate infrastructure. Phishing email, weak passwords, phoning calls from technology support departments - we've seen them all. Even a simple flash card that may have slipped into the office or next to the secretariat can endanger the entire network - all you need is someone inside the company who does not know or does not give security attention and this device can easily connect to the network causing disastrous consequences, "commented David Jacoby, Kaspersky Lab Security Investigator.
Sophisticated targeted attacks do not happen daily in organizations - but conventional malware hits businesses massively. Unfortunately, research also shows that when it comes to malware, uninformed and careless employees also play an important role in causing malware infections in the 53% of cases.
Kaspersky Lab Crypt: why the Human Resources department and top executives should be involved
With staff hiding the incidents they have been involved in, the impact may be very poor and this increases the overall harm that may have been caused. Even a single incident that has not been reported may indicate an even greater violation, and security teams need to quickly recognize the threats they have to them to choose the appropriate mitigation tactics.
Staff would prefer to compromise organizations from declaring a problem because they are afraid of being punished or ashamed of being responsible for something that was wrong. Some companies have introduced stringent rules and imposed more responsibilities on employees rather than encouraging them to be merely alert and cooperative. This means that cyber-protection is not only a matter of the "realm" of technology but also of the culture and education of the organization. Here is where we need to engage Human Resources and top management.
"The problem of concealment of incidents should be communicated, not only to the employees but also to the top executives and the Human Resources department. If employees are hiding incidents, there must be a reason. In some cases, companies introduce strict but vague policies and put a lot of pressure on staff, warning employees not to do "this or that" because they will be held accountable if something goes wrong. Such policies encourage fears and leave workers with only one choice - to avoid punishment at all costs. "If your culture of digital security is positive, based on an educational approach instead of a restrictive one, from top to bottom, the results will be obvious," said Slava Borilin, Security Education Program Manager at Kaspersky Lab.
Borilin also recalls an industrial safety model where a reference and "learning by mistake" approach is at the heart of the business. For example, in his recent statement, Tesla's Elon Musk asked to be immediately informed of any employee safety incident so that he could play a central role in change.
Kaspersky Lab The human factor: the corporate climate and even further
Organizations around the world have already become aware of the problem of their staff that makes their businesses vulnerable: 52% of respondents admit that staff are the greatest weakness in IT security. The need for staff-centered measures is becoming increasingly apparent: 35% of businesses are trying to improve security through staff training, making it the second most popular method of cyber-protection, following the ranking of developing more sophisticated software (43%).
The best way to protect organizations from digital threats related to human factors is to combine the right tools with the right practices. This should include the efforts of Human Resources and senior executives to encourage employees to be cautious and to seek help in the event of an incident. Training to raise awareness of security staff, providing clear guidelines instead of multi-page documents, creating strong skills and incentives, and promoting an appropriate work environment are the first steps that organizations need to follow.
When it comes to security technologies, most of the threats target uninformed or careless employees - including Phishing – can be addressed with security solutions for terminals points. These can meet the particular needs of small, medium and large enterprises in terms of functionality, default protection or advanced security settings to minimize risks.
Here you can find the complete exhibition.
