Several cybersecurity incidents are caused by employees themselves
Employees themselves are a risk to organizations. A global study by Kaspersky Lab shows that 46 percent of all cybersecurity incidents are caused by employees. What's more, 40 percent of self-inflicted cybersecurity incidents are kept secret.
Employees themselves are a risk to organizations. A global study by Kaspersky Lab shows that 46 percent of all cybersecurity incidents are caused by employees. What's more, 40 percent of self-inflicted cybersecurity incidents are kept secret.
Many circulating attacks target employees, who often exhibit a lack of care or attention to their documents. Employees are the "easiest gateway for highly technical and specialized attacks on companies," highlights a recent Kaspersky study.
Targeted methods
According to Kaspersky Lab, 28 percent of all targeted attacks last year were carried out via phishing or social engineering. An example: an email contains a malicious file disguised as a supplier's invoice; if this is opened by a careless accountant, the corporate network may already be infected.
"Employees often open the doors to a company's infrastructure for cybercriminals," explains David Jacoby, security researcher at Kaspersky Lab. "The spectrum of attacks ranges from phishing emails to passwords that are too weak to supposed calls from IT support. Another scam involves seemingly lost and compromised memory cards that are deliberately placed in the company parking lot or secretary's office and then found and read by well-meaning colleagues."
Corporate management required
Employees are reluctant to report cybersecurity incidents for fear of possible consequences - according to the Kaspersky study, 40 percent of companies do so. The consequences are serious, because security experts need to identify cybersecurity incidents as quickly as possible in order to combat them adequately.
Instead of threatening with strict rules and consequences, companies should therefore promote awareness and a willingness to cooperate. "Cybersecurity is not just a question of technology, but also a question of corporate culture. Top management and HR departments should also be aware of this," says Slava Borilin, Security Education Program Manager at Kaspersky Lab.
"When employees cover up incidents, there are good reasons: guidelines that are too strict and unclear, too much pressure, or the search for culprits. All of these lead employees to cover up the truth out of fear. Far better results come from a positive cybersecurity culture that emphasizes awareness building and information flow, and is exemplified by senior management."
Information, good working atmosphere and technology
The silver bullet for preventing human cybersecurity failures lies in the combination of technical and personnel measures, which form two main layers:
- Personnel level: Safety training, clearly and concisely formulated guidelines, further training and motivation measures, and a positive working atmosphere.
- Technological level: Endpoint security solutions can be used to contain human error by employees. Preconfigured protection measures and advanced security settings can also be used to meet the special requirements of small and medium-sized enterprises and corporate groups.
The full Kaspersky study, "Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within," is available below:
