Employee violations of an organisation’s information security policies are as dangerous as external hacker attacks, a report warned on Friday.
In terms of individual employee behaviour, the most common problem is that employees deliberately do what is forbidden and, conversely, they fail to perform what’s required.
Advertisement
In the last two years, 33 per cent of cyber incidents in businesses in Asia Pacific (APAC) occurred due to employees intentionally violating security protocol, according to the report by cyber-security firm Kaspersky.
A quarter (35 per cent) of cyber incidents in the last two years occurred due to the use of weak passwords or failure to change them in a timely manner. This is 10 per cent higher than the global result of 25 per cent.
“It is alarming to see that despite the several headline-grabbing data breaches and ransomware attacks that happened in the region this year, a lot of employees continue to intentionally breach basic information security policies,” said Adrian Hia, Managing Director for Asia Pacific at Kaspersky.
A multi-department approach to build a strong enterprise cybersecurity culture is urgently needed to address this human-factor gap that is definitely being exploited by cybercriminals, Hia advised.
Respondents from organisations in APAC claimed that intentional actions to break the cybersecurity rules were made by both non-IT and IT employees in the last two years.
They said policy violations such as these by senior IT security officers caused 16 per cent of the cyber incidents in the last two years, 4 per cent higher than the global average.
Other IT professionals and their non-IT colleagues brought about 15 per cent and 12 per cent of cyber incidents, respectively, when they breached security protocols.
Another cause of almost one third (32 per cent) of cybersecurity breaches were the result of staff in APAC visiting unsecured websites.
Another 25 per cent reported they faced cyber incidents because employees did not update the system software or applications when it was required.
Using unsolicited services or devices is another major contributor to intentional information security policy violations, said the report.