Employees are as likely as cyber-criminals to cause cyber-incidents

Kaspersky is a Business Reporter client

New research finds staff cause nearly as many security leakages as cyber-criminals. But businesses can do something about it.

Employees and cyber-criminals cause similar numbers of data leakages, new research by global cybersecurity firm Kaspersky finds.

The Kaspersky 2022 IT Security Economics survey, involving interviews with more than 3,000 IT security managers in 26 countries, found cyber-attacks caused 23 per cent of data leakages, while employees caused a similar proportion, at 22 per cent.

The rise in employees causing leakages may be linked with more remote working since the pandemic, with new staff laptops, tablets and virtual private networks (VPNs) featuring among the extra endpoints and systems needing security.

Although innocent mistakes or ignoring cyber-security policy were behind most leakages, security managers reported around a third (36 per cent) of employee-triggered leakages were deliberate acts of sabotage or espionage.

The high number of cyber-incidents stemming from employee action shows all organisations need thorough cyber-security awareness training to teach staff how to avoid common security mistakes.

Earlier Kaspersky research in partnership with Longitude, a thought leadership agency within the Financial Times Group, found businesses confident in their cyber-skills programs also reported better overall cyber-attack preparedness.

While cyber-security experts should upskill regularly, the research highlights the importance of training all staff, not just the IT department, to create a company-wide cyber-security culture. “One-off training is not enough,” said Evgeniya Naumova, former Executive Vice President of Corporate Business at Kaspersky.

“Behavioral change takes commitment and practice for acquired skills to become habit.”

Heathrow Airport’s innovative employee cyber-awareness program aims to change behaviour long-term with “little and often” education targeted at those who need it most.

Trainers use mock “phishing” emails to identify employees most at risk of falling for cyber-criminals’ tricks.

Data-gathering explosion shifts focus to transparency

The changing nature of business, with more remote working and internet-connected devices, comes at a time when businesses are sharing and storing much more data.

Latest estimates project that data generated, consumed and stored online will reach more than 180 zettabytes by 2025. Meanwhile, more customers question whether companies can keep their data safe.

“With data protection so high on the business security agenda, supplier and contractor transparency policies also take centre stage. Most (78 per cent) organisations surveyed said they had a transparency policy, while nine in 10 (91 per cent) said these policies mattered when choosing who to work with.

“Organisations are being more conscientious with data security and [are] seeing a responsible approach to data management as essential in suppliers and contractors,” said Yuliya Shlychkova, Head of Public Affairs at Kaspersky.

“More companies are adopting transparency policies to help customers and partners understand their data security standards.

We’ve pioneered building trust in our industry by giving stakeholders many ways to validate the trustworthiness of our solutions and business operations. We’re also working with partners to make transparency an industry-wide standard.”

Kaspersky’s research found that expanding their cyber-security teams will be a big priority for IT security managers in 2023, regardless of business size.

Teams are particularly looking to add more experienced, dedicated specialists rather than relying on programmers or network engineers to fulfil security functions.

Almost half of those surveyed (48 per cent) had invested in more staff after a cyber-incident in 2022, while the majority (86 per cent) had taken on board IT professionals to help fix cyber-incident impacts.

For organisations that find they can’t recruit all the cyber-specialists they need, managed protection services offer another way to optimise cyber-security.

Originally published on Business Reporter