A recent study by cyber security firm Kaspersky reveals that employee breaches of information security policies within organisations are a significant threat, on par with external hacker attacks. Over the last two years, 33% of cyber incidents within businesses in the Asia Pacific (APAC) region were caused by employees intentionally violating security protocols.
"Employee violations of an organization's information security policies are as dangerous as external hacker attacks. In the past 2 years, 33% of cyber incidents in businesses in APAC were due to employees intentionally breaching security procedures. This figure is almost equal to the damage caused by cybersecurity breaches, 40% of which occurred because of hacking," quotes the study.
Kaspersky's global study gathered information from 234 respondents in APAC consisting of both internal staff and external actors. The findings indicate a perspective complex than the conventional understanding regarding human error and violations as the main causes of cyber incidents in businesses.
In addition to unintended mistakes, information security policy violations by employees have emerged as one of the largest challenges for companies. The study highlighted behaviours such as the use of weak passwords, or failure to change them in a timely manner, were responsible for a notable 35% of cyber incidents. This figure is significantly higher than the global average of 25%. Furthermore, neglecting to update system software or applications when required led to 25% of cybersecurity breaches.
Adrian Hia, Managing Director for Asia Pacific at Kaspersky, warns, "It is alarming to see that despite the number of data breaches and ransomware attacks in the region this year, many employees still intentionally breach basic information security policies. With APAC's numbers being higher than the global average, there is an urgent need for organisations to adopt a multi-department approach to building a strong enterprise cybersecurity culture."
Other breaches of policy included the use of unauthorized systems for data sharing, with nearly a quarter (31%) of companies reporting such incidents. In addition to violating policy out of negligence or ignorance, Kaspersky’s study noted that 26% of malicious actions were undertaken deliberately by employees for personal gain, especially within the financial services sector. These actions led to 18% of reported incidents.
Alexey Vovk, Head of Information Security at Kaspersky, said: "Employees from any department, whether its non-IT specialists or IT Security professionals, can negatively influence cybersecurity both intentionally and unintentionally. As the numbers show, in addition to 26% of cyber incidents being caused by information security policy violation, 38% of breaches occur due to human mistakes. Therefore, it is crucial to cultivate a cybersecurity culture within the organisation by developing and enforcing security policies, as well as raising cybersecurity awareness among the workforce."
To address these challenges, Kaspersky recommends the use of cybersecurity products with Application, Web and Device control features, to limit the use of unsolicited apps, websites, and peripherals. Data transfers should also be monitored, and potentially dangerous activities should be prevented by users and attackers using Advanced Anomaly Control features.