Workers’ violation of security policies as hurtful as hacker attacks

Employee violations of an organisation’s information security policies are as dangerous as external hacker attacks, according to a recent study from Kaspersky. 

The company found that, in the last two years, 33% of cyber incidents in businesses in the Asia-Pacific region (APAC) occurred due to employees intentionally violating security protocol. 

This figure is almost equal to the damage caused by cybersecurity breaches, 40% of which occurred because of hacking. These numbers are a tad higher than the global average of 26% and 30%, respectively.

Kaspersky engaged Arlington Research to conduct a study that involved  1,260 interviews with IT and IT security engineers across Brazil, Chile, China, Colombia, France, Germany, India, Indonesia, Japan, Kazakhstan, Mexico, Russia, Saudi Arabia, South Africa, Spain, Turkiye, the United Arab Emirates, the United Kingdom and the United States.

Respondents include 234 respondents who are based in APAC.

The study revealed that, in addition to genuine errors, information security policy violations by employees from the region were one of the biggest problems for companies.

Respondents from APAC claimed that intentional actions to break the cybersecurity rules were made by both non-IT and IT employees in the last two years. They said policy violations such as these by senior IT security officers caused 16%of the cyber incidents in the last two years, 4% higher than the global average. 

Other IT professionals and their non-IT colleagues brought about 15% and 12% of cyber incidents respectively when they breached security protocols. 

In terms of individual employee behavior, the most common problem is that employees deliberately do what is forbidden and, conversely, they fail to perform what’s required. 

Thus, respondents claim that a quarter (35%) of cyber incidents in the last two years occurred due to the use of weak passwords or failure to change them in a timely manner. This is 10% higher than the global result of 25%.

Another cause of almost one third (32%) of cybersecurity breaches were the result of staff in APAC visiting unsecured websites.

Also, 25% report they faced cyber incidents because employees did not update the system software or applications when it was required. 

Using unsolicited services or devices is another major contributor to intentional information security policy violations. Nearly one quarter (31%) of companies suffered cyber incidents because their employees used unauthorised systems for data sharing. 

Employees in 25% of companies intentionally accessed data through unauthorised devices, whilst 26% of staff in other businesses sent data to personal email addresses. 

Another reported action was the deployment of shadow IT on work devices – 15% of respondents indicate that this led to their cyber incidents. 

Respondents from APAC admit that, besides the irresponsible behavior already mentioned, 26% of malicious actions were committed by employees for personal gain. 

Further, intentionally malicious information security policy violations by employees were a relatively big issue in financial services, as 18% of respondents in this sector reported. 

“In addition to 26% of cyber incidents being caused by information security policies violation, 38% of breaches occur due to human mistakes,” said Adrian Hia, Kaspersky managing director for APAC.

“As the numbers are alarming, it is necessary to create a cybersecurity culture in an organisation from the get-go by developing and enforcing security policies, as well as raising cybersecurity awareness among employees,” said Hia.