Kaspersky Lab: Business employees hide IT security incidents at a rate of 40% worldwide - this was a result of its new research Kaspersky Lab and B2B International, "The human factor in the security of information systems: How employees make businesses more vulnerable than their interior."
With 46% of IT security incidents being due to employees every year, this business vulnerability needs to be addressed at all levels, not just through the IT security department.
Kaspersky Lab Leading hackers to your door
Unrecognized or indifferent employees are one of the main reasons for security of information systems - a second reason in the list behind traditional malware. While malware is constantly evolving, the sad reality is that the "evergreen" human factor can be even more dangerous.
In particular, employee carelessness is one of the biggest blows to corporate armor against digital threats when it comes to targeted attacks. While advanced hackers can always use specially designed malware and high-tech techniques to plan a heist, they'll likely start tapping into the easiest entry point - human nature.
According to the survey, one in three (28%) targeted attacks against businesses in the past year had phishing/social engineering techniques at their source. For example, a careless accountant could easily open a malicious file that looked like an invoice from one of a company's many contractors. This could put off modes entire infrastructure of the organization, unknowingly making the accountant an accomplice to the attackers.
“Digital criminals often use employees as an entry point into corporate infrastructure. Phishing emails, weak passwords, bogus phone calls from tech support departments – we've seen it all. Even a simple flash card that may have been dropped in the office parking lot or next to the secretary's desk can jeopardize the entire network – all it takes is someone inside the company who doesn't know or doesn't pay attention to security and that device can very easily connect to the network causing disastrous consequences,” commented David Jacoby, Kaspersky Lab Security Researcher .
Sophisticated targeted attacks do not happen daily in organizations - but conventional malware hits businesses massively. Unfortunately, research also shows that when it comes to malware, uninformed and careless employees also play an important role in causing malware infections in the 53% of cases.
Kaspersky Lab Crypt: why the Human Resources department and top executives should be involved
With staff hiding the incidents they have been involved in, the impact may be very poor and this increases the overall harm that may have been caused. Even a single incident that has not been reported may indicate an even greater violation, and security teams need to quickly recognize the threats they have to them to choose the appropriate mitigation tactics.
Staff would rather put organizations at risk than report a problem because they fear punishment or are ashamed of being responsible for something that went wrong. Some companies have introduced strict rules and imposed more responsibility on employees, rather than encouraging them to simply be alert and cooperative. This means that cyber protection is not only in the "realm" of technology, but also in culture and education of the organism. This is where HR and senior management need to get involved.
«Το πρόβλημα της απόκρυψης περιστατικών θα πρέπει να γνωστοποιείται, όχι μόνο στους υπαλλήλους αλλά και στα ανώτατα διοικητικά στελέχη και το τμήμα Ανθρώπινου Δυναμικού. Εάν οι εργαζόμενοι κρύβουν περιστατικά, πρέπει να υπάρχει κάποιος λόγος. Σε ορισμένες περιπτώσεις, οι εταιρείες εισάγουν αυστηρές, αλλά ασαφείς πολιτικές και ασκούν έντονη πίεση στο προσωπικό, προειδοποιώντας τους εργαζόμενους να μην κάνουν «αυτό ή εκείνο» γιατί θα κριθούν υπεύθυνοι αν κάτι πάει στραβά. Τέτοιες πολιτικές ενθαρρύνουν τους φόβους και αφήνουν τους εργαζόμενους με μία μόνο επιλογή - για να αποφύγουν την τιμωρία πάση θυσία. Αν η κουλτούρα σας σε themeτα ψηφιακής ασφάλειας είναι θετική, βασισμένη σε μια εκπαιδευτική προσέγγιση αντί σε μια περιοριστική, από την κορυφή προς τα κάτω, τα Results it will be obvious," comments Slava Borilin, Security Education Program Manager at Kaspersky Lab.
Borilin also recalls an industrial safety model where a reference and "learning by mistake" approach is at the heart of the business. For example, in his recent statement, Tesla's Elon Musk asked to be immediately informed of any employee safety incident so that he could play a central role in change.
Kaspersky Lab The human factor: the corporate climate and even further
Organizations around the world have already become aware of the problem of their staff that makes their businesses vulnerable: 52% of respondents admit that staff are the greatest weakness in IT security. The need for staff-centered measures is becoming increasingly apparent: 35% of businesses are trying to improve security through staff training, making it the second most popular method of cyber-protection, following the ranking of developing more sophisticated software (43%).
The best way to protect organizations from digital threats related to human factors is to combine the right tools with the right practices. This should include the efforts of Human Resources and senior executives to encourage employees to be cautious and to seek help in the event of an incident. Training to raise awareness of security staff, providing clear guidelines instead of multi-page documents, creating strong skills and incentives, and promoting an appropriate work environment are the first steps that organizations need to follow.
When it comes to security technologies, most of the threats that target uninformed or careless employees - including Phishing - can be addressed with endpoint security solutions. These can meet the particular needs of small, medium and large enterprises in terms of functionality, default protection or advanced security settings to minimize risks.
Here you can find the complete exhibition.
