A NEW study by Kaspersky highlights the growing concern over employee-driven cybersecurity incidents in Asia Pacific (APAC).
The study found that 33 percent of cyber incidents in APAC businesses were caused by employees intentionally violating security protocols, a figure nearly equal to the 40 percent of incidents attributed to external hacking attempts. This trend is particularly concerning given that APAC’s figures surpass the global averages of 26 percent and 30 percent, respectively, for employee-induced and hacking-related incidents.
“Along with external cybersecurity threats, there are many internal factors that can lead to incidents in any organization. As statistics show, employees from any department, whether it’s non-IT specialists or IT Security professionals, can negatively influence cybersecurity both intentionally and unintentionally,” comments Alexey Vovk, Head of Information Security at Kaspersky.
The study surveyed 234 IT security professionals working for SMEs and Enterprises across APAC, revealing that both non-IT and IT employees are responsible for intentional security breaches. Senior IT security officers were found to have caused 16 percent of cyber incidents, exceeding the global average by 4 percent. Other IT professionals and non-IT colleagues contributed to 15 percent and 12 percent of incidents, respectively.
“It is alarming to see that despite the several headline-grabbing data breaches and ransomware attacks that happened in the region this year, a lot of employees continue to intentionally breach basic information security policies. With this latest study showing APAC’s numbers always higher than the global average, a multi-department approach to build a strong enterprise cybersecurity culture is urgently needed to address this human-factor gap that is definitely being exploited by cybercriminals,” Adrian Hia, Managing Director for Asia Pacific at Kaspersky comments.
Using unsolicited services or devices is another major contributor to intentional information security policy violations. Nearly one quarter (31 percent) of companies suffered cyber incidents because their employees used unauthorized systems for data sharing. Employees in 25 percent of companies intentionally accessed data through unauthorized devices, whilst 26 percent of staff in other businesses sent data to personal email addresses. Another reported action was the deployment of shadow IT on work devices — 15 percent of respondents indicate that this led to their cyber incidents.
Alarmingly, respondents from APAC admit that, besides the irresponsible behavior already mentioned, 26 percent of malicious actions were committed by employees for personal gain. Another interesting finding was that intentionally malicious information security policy violations by employees were a relatively big issue in financial services, as 18 percent of respondents in this sector reported.
“That is why, it is important to consider methods of preventing information security policy violations when ensuring security, i.e. to implement an integrated approach to cybersecurity. According to our research, in addition to 26 percent of cyber incidents being caused by information security policies violation, 38 percent of breaches occur due to human mistakes. As the numbers are alarming, it is necessary to create a cybersecurity culture in an organization from the get-go by developing and enforcing security policies, as well as raising cybersecurity awareness among employees. Thus, the staff will approach the rules more responsibly and clearly understand the possible consequences of their violations,” Volk comments.
