Information Security Violations By Employees Do As Much Harm As Hacking: Kaspersky
The study found that 26% of cyber incidents occurred due to employees intentionally violating security protocol.
Employee violations of an organisation’s information security policies are as dangerous as external hacker attacks, according to a study by cybersecurity company Kaspersky.
In the last two years, 26% of cyber incidents in organisations occurred due to employees intentionally violating security protocol. This is almost equal to the damage caused by cybersecurity breaches, 30% of which occurred because of hacking.
The study revealed that, along with genuine errors, information security policy violations by employees was a major problem for companies. Respondents from global organisations claimed that intentional actions to break the cybersecurity rules were made by both non-IT and IT employees in the last two years.
Key Insights
Below are the key findings from the study:
In the past two years, 77% of companies experienced at least one cybersecurity breach, with many enduring up to six.
Of the companies surveyed, 75% reported that the cybersecurity incidents experienced were serious.
Organisations said 14% of cyber incidents were due to senior IT security staff errors, and a further 15% caused by other IT staff.
Other IT professionals and their non-IT colleagues brought about 11% and 8% of cyber incidents, respectively.
One-fourth (25%) of cyber incidents occurred due to the use of weak passwords or failure to change them regularly.
Of the breaches, 24% were the result of staff visiting unsecured websites. Another 21% were because employees did not update the system software or applications when it was required.
Intentional Actions A Concern
Organisations admitted that a substantial number of cyber incidents in the past two years were caused by various intentional actions by employees.
Intentional policy violations by IT security officers caused 12% of cyber incidents.
Using unsolicited services or devices was a major contributor to intentional violations, with 24% of companies suffering cyber incidents because employees used unauthorised systems for data sharing.
Employees in 21% of companies intentionally accessed data through unauthorised devices, while 20% of staff sent data to personal email addresses.
Deployment of shadow IT on work devices was identified by 11% of respondents as leading to cyber incidents.
Respondents admitted that, additionally, 20% of malicious actions were committed by employees for personal gain.
Intentional security policy violations were higher in financial services, as 34% of respondents in this sector reported.
Consequences Of Cyber Incidents
The study found that regardless of whether it is accidental human error or an information security policies violation, consequences can be severe.
In one-third of cases, a confidential data leak occurred, implicating employees, but also customers who are unlikely to be loyal to a business from then on.
Following the breach, 25% of organisations took a reputational hit, and 24% confirmed a loss of customer trust.
Financial penalties were common in 22% of the cases.
In 18% of cases, the breach led to a staff member being sacked.
Inadequate Skills, Budget And Infrastructure
Respondent organisations identified skills shortage, gaps in infrastructures and inadequate budgets as problem areas.
Of the respondents, 18% reported that a skills shortage in cybersecurity is the cause of incidents in their companies.
Overall, 75% of companies regarded the shortage of skilled staff as a serious problem.
Around 41% felt they have gaps in cybersecurity infrastructures and plan to increase investments in this area.
Of the respondents, 21% said they do not have the budget to take adequate cybersecurity measures.
