One-in-Four Hide Cybersecurity Incidents From Their Employers
The report that was released by Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within, states that employees in 40 percent of businesses across the world hide cyber incident from upper management in order to avoid punishment. What surmounts to this problem is the fact that the very employees who hide the incidents, are the ones who tend to be careless and are likely to be the prime cause to the incident. Of course, malware comes second to that but even though malware is getting more sophisticated by the day, the human factor still amounts to almost half (46 percent) of cyber security incidents.
Hiding incidents from employers to avoid punishment is commonly known, but rarely do people realise that not reporting an incident may in fact increase the overall damage such as an unreported breach could indicate a much larger one. Furthermore, the security team needs to apply the proper risk response and mitigation tactics based on threat identification. “The problem of hiding incidents should be communicated not only to employees, but also to top management and HR departments,” said Slava Borilin, security education program manager at Kaspersky Lab. “If employees are hiding incidents, there must be a reason why. In some cases, companies introduce strict, but unclear policies and put too much pressure on staff, warning them not to do this or that, or they will be held responsible if something goes wrong. Such policies foster fears, and leave employees with only one option — to avoid punishment whatever it takes. If your cybersecurity culture is positive, based on an educational approach instead of a restrictive one, from the top down, the results will be obvious.”
The results of the survey illustrates that the top three fears are all related to human factors and employee behavior. 47 percent of business worry that their employees will share inappropriate data with their phones, 46 percent worry about the physical loss of mobile hones, and 44 percent worry about the inappropriate use of IT resources by employees. Moreover, one third of attacks (28 percent) targeting businesses last year exploited human nature (social engineering and phishing) as an entry point illustrating that advanced and sophisticated malware is not always needed. In fact, research shows that even when malware is involved, unaware and careless employees account for 53 percent of global incidents.
“Cybercriminals often use employees as an entry point to get inside the corporate infrastructure. Phishing emails, weak passwords, fake calls from tech support – we’ve seen it all,” said David Jacoby, security researcher at Kaspersky Lab. “Even an ordinary flash card dropped in the office parking lot or near the secretary’s desk could compromise the entire network — all you need is someone inside, who doesn’t know about, or pay attention to security, and that device could easily be connected to the network where it could reap havoc.”