Employees hide IT security incidents in 40 per cent of businesses, according to a new report from Kaspersky Lab and B2B International, “Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within”. With 46 per cent of IT security incidents caused by employees each year, this business vulnerability must be addressed on many levels, not just through the IT security department.
Uninformed or careless employees are one of the most likely causes of a cybersecurity incident — second only to malware. While malware is becoming more and more sophisticated, the sad reality is that the evergreen human factor can pose an even greater danger. In particular, employee carelessness is one of the biggest chinks in corporate cybersecurity armour when it comes to targeted attacks, the IT security product firm says. While advanced hackers might always use custom-made malware and hi-tech techniques to plan a heist, they will likely start with exploiting the easiest entry point – human nature.
According to the research, every third (28 per cent) targeted attack on businesses in the last year had phishing/social engineering at its source. For example, a careless accountant could easily open a malicious file disguised as an invoice from one of a company’s numerous contractors. This could shut down the entire organisation’s infrastructure, making the accountant an unwitting accomplice to attackers.
David Emm, pictured, principal security researcher at Kaspersky Lab says: “Cybercriminals often use employees as an entry point to get inside the corporate infrastructure. Phishing emails, weak passwords, fake calls from tech support – we’ve seen it all. Even an ordinary flash card dropped in the office parking lot or near the secretary’s desk could compromise the entire network — all you need is someone inside, who doesn’t know about, or pay attention to security, and that device could easily be connected to the network where it could reap havoc.”
Staff would rather put organisations at risk than report a problem because they fear punishment, or are embarrassed that they are responsible for something going wrong, the report suggests. Some companies have introduced strict rules and impose extra responsibility on employees, instead of encouraging them to simply be vigilant and cooperative. This means that cyber-protection not only lies in the realm of technology, but also in an organisation’s culture and training, it’s suggested. Visit the Kaspersky blog for more.
