Actions by employees that violate their organization’s information security policies are as detrimental as external cyberattacks.
Cybersecurity and antivirus provider Kaspersky recently published a study, which involved interviewing IT experts and professionals from 19 countries, to gather insights regarding the impact of internal and external threats on cybersecurity.
The key findings of the Kaspersky study are alarming: within the past two years, 77% of companies surveyed experienced at least one cybersecurity incident, with 75% of these incidents classified as serious. The financial services sector emerged as particularly vulnerable, with a notable prevalence of incidents caused by non-IT employee violations that accounted for 22% of breaches in this sector. In the telecommunications sector, more than one-third of companies suffered at least four incidents over the past two years.
However, the responsibility does not solely lie with non-IT staff. The study found that IT staff, including senior members of the IT security team, were also culpable. Specifically, 14% of the incidents were attributed to senior IT security professionals, while other IT staff were responsible for an additional 15% of errors leading to breaches.
Many violations are on purpose, with employees knowingly breaching security policies. A quarter of the cyber incidents in the past two years were attributed to weak passwords and failure to change them regularly. Additionally, 24% of breaches occurred apparently due to staff visiting insecure and suspicious websites. Other common violations included using unauthorized platforms for data sharing, neglecting updates for system software and apps, and transferring data to personal, unauthorized devices.