A substantial 26% of cyber incidents in businesses over the last two years have been found to be the result of intentional security protocol violations by employees. This figure closely rivals the 20% attributed to external hacking attempts.
The findings come from Kaspersky’s latest study, which explained that, contrary to prevailing beliefs that human error is the primary cause of cybersecurity incidents, the reality is more nuanced.
Seeking insights from IT security professionals in SMEs and enterprises globally, the research aimed to understand the diverse impact of various individuals on a company’s cybersecurity posture.
It discovered that intentional policy violations by employees, spanning both IT and non-IT staff, played a significant role in cyber incidents. Notably, IT security officers, other IT professionals and non-IT colleagues were identified as sources of breaches, contributing to 13%, 12% and 4% of incidents, respectively.
Examining individual employee behavior, the study revealed that 22% of incidents resulted from the deliberate use of weak passwords or failing to change them promptly. Additionally, 18% were linked to staff visiting unsecured websites, while 25% occurred due to neglecting system software or application updates.
Unsolicited services or devices were identified as significant contributors to intentional policy violations, with 14% of companies experiencing incidents due to unauthorized systems for data sharing. Particularly concerning was the finding that 20% of malicious actions were committed by employees for personal gain, with the financial services sector notably reporting 34% of such incidents.
Highlighting the necessity of a comprehensive cybersecurity strategy, Alexey Vovk, who leads information security at Kaspersky, emphasized the significance of fostering a culture of cybersecurity within companies.
“As the numbers are alarming, it is necessary to create a cybersecurity culture in an organization from the get-go by developing and enforcing security policies, as well as raising cybersecurity awareness among employees,” Vovk explained.
“Thus, the staff will approach the rules more responsibly and clearly understand the possible consequences of their violations.”