Woburn, MA – November 22, 2023 — A new survey by Kaspersky has found that North American employee violations of an organization’s information security policies are almost as dangerous as external hacker attacks. In the last two years, 33% of cyber incidents in U.S. and Canadian businesses occurred due to employees intentionally violating security protocol. This figure is almost equal to the damage caused by cybersecurity breaches, 27% of which occurred because of hacking.
There is a well-established perception that human error is one of the main causes of cyber incidents in business, but this is not a black and white issue as the state of an organization’s cybersecurity has several factors at play. With this in mind, Kaspersky conducted a study to find out the opinions of IT Security professionals working for SMEs and Enterprises worldwide on the impact people have on cybersecurity in a company. The research was aimed at gathering information about different groups of people influencing cybersecurity, considering both internal staff, and external actors.
The Kaspersky study revealed that, in addition to genuine errors, information security policy violations by employees were one of the biggest problems for companies. Respondents from North American organizations claimed that intentional actions to break the cybersecurity rules were made by both IT and non-IT employees in the last two years. They said policy violations such as these by IT security officers caused 8% of the cyber incidents in the last two years. Other IT professionals and their non-IT colleagues brought about 18% and 10% of cyber incidents respectively when they breached security protocols.
In terms of individual employee behavior, the most common problem is that employees deliberately do what is forbidden and, conversely, they fail to perform what’s required. Thus, respondents claim that a quarter (40%) of cyber incidents in the last two years occurred due to the use of weak passwords or failure to change them in a timely manner. The other cause of almost one quarter (23%) of cybersecurity breaches were the result of staff visiting unsecured websites. Another 21% report they faced cyber incidents because employees did not update the system software or applications when it was required.
Using unsolicited services or devices is another major contributor to intentional information security policy violations. Just over one quarter (27%) of companies suffered cyber incidents because their employees used unauthorized systems for data sharing. Employees in 29% of companies intentionally accessed data through unauthorized devices, whilst 25% of staff in other businesses sent data to personal email addresses. Another reported action was the deployment of shadow IT on work devices, with 13% of respondents indicate that this led to their cyber incidents.
Alarmingly, respondents admit that, besides the irresponsible behavior already mentioned, 27% of malicious actions were committed by employees for personal gain. Another interesting finding was that intentionally malicious information security policy violations by employees were a relatively big issue in financial services, as 34% of respondents in this sector reported.
“Along with external cybersecurity threats, there are many internal factors that can lead to incidents in any organization,” said Alexey Vovk, head of information security at Kaspersky. “As the statistics show, employees from any department can negatively influence cybersecurity both intentionally and unintentionally. That is why it is important to consider methods of preventing information security policy violations when ensuring security, i.e. to implement an integrated approach to cybersecurity. It is necessary to create a cybersecurity culture in an organization from the beginning by developing and enforcing security policies, as well as raising cybersecurity awareness among employees. Thus, the staff will approach the rules more responsibly and clearly understand the possible consequences of their violations.”
To read the full report for more insights on the human impact on cybersecurity in business, please visit the link.
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help over 220,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.