Employee violations of an organisation’s information security policies are as dangerous as external hacker attacks according to a recent study from Kaspersky.
In the last two years, 19% of cyber incidents in businesses in South Africa occurred due to employees intentionally violating security protocol. This figure is almost equal to the damage caused by cybersecurity breaches, 30% of which occurred because of hacking.
There is a well-established perception that human error is one of the main causes of cyber incidents in business. But things are not so straightforward. The state of an organisation’s cybersecurity is more complicated than that and more factors come into the equation.
With this in mind, Kaspersky conducted a study to find out the opinions of IT security professionals working for SMEs and enterprises worldwide on the impact people have on cybersecurity in a company. The research was aimed at gathering information about different groups of people influencing cybersecurity, considering both internal staff, and external actors.
The study revealed that, in addition to genuine errors, information security policy violations by employees were one of the biggest problems for companies.
Respondents from organisations all over the world claimed that intentional actions to break the cybersecurity rules were made by both non-IT and IT employees in the last two years. They said policy violations such as these by IT security officers caused 5% of the cyber incidents in the last two years.
Other IT professionals and their non-IT colleagues both brought about 8% of cyber incidents respectively when they breached security protocols.
In terms of individual employee behaviour, the most common problem is that employees deliberately do what is forbidden and, conversely, they fail to perform what’s required. Thus, local respondents claim that 37% of cyber incidents in the last two years occurred due to the use of weak passwords or failure to change them in a timely manner.
The other cause (32%) of cybersecurity breaches were the result of staff visiting unsecured websites. Another 32% report they faced cyber incidents because employees did not update the system software or applications when it was required.
Alarmingly, respondents admit that, besides the irresponsible behaviour already mentioned, 11% of malicious actions were committed by employees for personal gain. Another interesting finding was that intentionally malicious information security policy violations by employees were a relatively big issue in financial services, as 34% of all respondents in this sector reported.
“Along with external cybersecurity threats, there are many internal factors that can lead to incidents in any organisation,” comments Alexey Vovk, head of information security at Kaspersky. “As statistics show, employees from any department, whether it’s non-IT specialists or IT security professionals, can negatively influence cybersecurity both intentionally and unintentionally.
“That is why it is important to consider methods of preventing information security policy violations when ensuring security, i.e. to implement an integrated approach to cybersecurity.
“According to our full research, in addition to 26% of cyber incidents being caused by information security policies violation, 38% of breaches occur due to human mistakes.
“As the numbers are alarming, it is necessary to create a cybersecurity culture in an organisation from the get-go by developing and enforcing security policies, as well as raising cybersecurity awareness among employees. Thus, the staff will approach the rules more responsibly and clearly understand the possible consequences of their violations.”