Kaspersky Lab – The Human Factor in IT Security: How employees are making businesses vulnerable from within

Sometimes personnel may take cybersecurity requirements too lightly, leading to dramatic consequences for the organizations they work for.

In the recent WannaCry ransomware epidemic, the human factor played a major role in making businesses worldwide vulnerable. Two months after the disclosed vulnerabilities had been patched with a new update from Microsoft, many companies around the world still hadn’t updated their systems. Several cases followed — with non-IT personnel being the weakest link: for example, employees with local administrator rights who disabled security solutions on their computers and let the infection spread from their computer onto the entire corporate network.

So, what role do employees play in a business’s fight against cybercrime? To answer this question Kaspersky Lab and B2B International have undertaken a study into over 5,000 businesses around the globe.

The results have been astounding. We’ve found that just over half of businesses (52%) believe they are at risk from within. Their staff, whether intentionally or through their own carelessness or lack of knowledge, are putting the businesses they work for at risk.

The following report investigates how and why this is happening – and what businesses can do to help protect themselves from their own employees.

The dangers of irresponsible and uninformed employees

At risk from within

Against the backdrop of a complex and growing cyber threat landscape, where 57% of businesses now assume their IT security will become compromised, businesses are also waking up to the fact that one of the biggest chinks in their armor against cyberattack is their own employees. In fact, 52% of businesses admit that employees are their biggest weakness in IT security, with their careless actions putting business IT security strategy at risk.

The fear of being put at risk from within can be seen clearly in the fact that for businesses, the top three cybersecurity fears are all related to human factors and employee behavior. The table below shows that businesses are aware of how easy it is for employee/human error to impact their company’s security. They worry most about employees sharing inappropriate data via mobile devices (47%), the physical loss of mobile devices exposing their company to risk (46%) and the use of inappropriate IT resources by employees (44%).

Taking a closer look at these findings, concerns about the inappropriate use of IT by employees vary considerably according to company size, with very small businesses (with 1-49 employees) feeling more at risk from this threat than enterprises with more than 1000 staff. This could be due to a number of factors including enterprises potentially having stricter policies in place, and more thorough training for staff on best practice. In addition, very small businesses possibly bestow employees with a greater degree of flexibility in terms of how they use business IT resources.

Employee actions lead to cybersecurity incidents

The findings of our study show us that businesses do indeed have good reason to be worried about employees contributing to cybersecurity risks. Staff may make mistakes that put their company’s data or systems at risk – either because they are careless and accidently slip up – or even because they do not have the required training to teach them how to behave appropriately and to protect the business they work for.

Careless or uninformed staff, for example, are the second most likely cause of a serious security breach, second only to malware. In addition, in 46% of cybersecurity incidents in the last year, careless/ uniformed staff have contributed to the attack.

Human error on the part of staff is not the only ‘attack vector’ that businesses are falling victim to. In the last year internal staff have also caused security issues through malicious actions of their own, with 30% of security events in the last 12 months reportedly involving staff working against their own employers.

Among the businesses that faced cybersecurity incidents in the past 12 months, one-in-ten (11%) the most serious types of incidents involved careless employees.

Employee carelessness and phishing/social engineering were major contributing factors for malware and targeted attacks; attack types, which, incidentally, have also demonstrated the largest increase in the last year.

Irresponsible employees – the damage

As well as being irresponsible by hiding incidents when they happen, employee irresponsibility can also have a hard-hitting impact on a firm’s data and system integrity when it’s linked to a security incident.

For example, 46% have confirmed that those incidents have resulted in their business’s data being leaked or exposed because of employee actions. In addition, over one in four (28%) have lost highly sensitive or confidential customer/employee information as a result of irresponsible employees, while 25% have lost payment information. All of these implications, of course, have the potential to have a far-reaching and damaging impact on a business’s reputation – both internally and externally.

Below is the story of an advertising firm that lost a real business opportunity after its critical data was exposed, as a result of a minor employee mistake. The story is told by one of Kaspersky Lab’s security experts:

A young but ambitious advertising agency finally got a call for a tender from a very big client they had been trying to approach for months. The workload for compiling a successful proposal was huge, the time and resources were limited, and the work group – freelance designers, home-working copywriters, an account manager and an account director – became ridiculously large, also involving several third-party contractors.

To make the process smooth and easy, the agency decided to put a draft of the proposal in Google Docs and only allowed access to the document to people who had the link, namely the group itself. When the proposal was finished, downloaded, and the Google document was closed, the newbie account manager made it available once again — just to secretly show it to a couple of former senior colleagues who could provide them with useful advice before the submission. Only this time, due to his nerves about presenting to the client, the account manager completely forgot about the privacy settings and made the document available to everyone on the web.

So, what happened next? The night before the proposal submission deadline, a more experienced competitive agency decided to do a simple Google Docs extended search (using the combination ‘client name + proposal’). They found the document with several nice and creative ideas and, more importantly, the budget estimate for the services. To eliminate the new player in the market, the more established agencies worked together and agreed to lower their prices to make it look like the rookie firm was trying to overcharge. The firm dropped out of the bid and were none the wiser until the disappointed account manager took another look at the proposal in Google Docs to see where they had gone wrong and finally realized – the privacy settings were not enabled!

That’s how the advertising firm lost a major new business opportunity because of lack of security awareness and clear security policies in place.

The full report here: https://www.kaspersky.com/blog/the-human-factor-in-it-security/