In a recent global study conducted by Kaspersky, it has been revealed that information security breaches resulting from staff violating organizational policies are as detrimental as external hacking incidents in the Asia-Pacific (APAC) region. The findings shed light on the critical role that insider threats play in compromising cybersecurity.
Over the past two (02) years, a striking 33% of cyber incidents within businesses in APAC were attributed to intentional violations of security protocols by employees. This percentage closely rivals the damage caused by external cybersecurity breaches, which accounted for 40% of incidents due to hacking. These figures surpass the global averages of 26% for policy violations and 30% for hacking incidents, respectively.
While human error has long been considered a primary factor in cyber incidents, Kaspersky’s study delves into the complexities of cybersecurity within organizations. The research aimed to understand the perspectives of IT security professionals working for SMEs and Enterprises globally, with a focus on the impact of human factors on cybersecurity. A total of 234 respondents from APAC participated in the survey.
“It is alarming to see that despite the several headline-grabbing data breaches and ransomware attacks that happened in the region this year, a lot of employees continue to intentionally breach basic information security policies. With this latest study showing APAC’s numbers always higher than the global average, a multi-department approach to build a strong enterprise cybersecurity culture is urgently needed to address this human-factor gap that is definitely being exploited by cybercriminals,” according to Adrian Hia, Managing Director for Asia Pacific at Kaspersky.
The study disclosed that, in addition to inadvertent errors, intentional violations of information security policies by employees emerged as a significant challenge for companies in the region. Respondents from APAC organizations reported that senior IT security officers, in particular, were responsible for 16% of cyber incidents in the last two years, surpassing the global average by 4%. Other IT professionals and non-IT colleagues contributed to 15% and 12% of incidents, respectively, when breaching security protocols.
On an individual level, the study highlighted that employees often engage in forbidden activities, with 35% of cyber incidents in the past two years attributed to the use of weak passwords or failure to update them promptly—a figure 10% higher than the global average. In addition, 32% of breaches occurred due to employees visiting unsecured websites, and 25% resulted from neglecting system software or application updates.
Intentional information security policy violations also stemmed from the use of unauthorized systems for data sharing (31%), unauthorized access through devices (25%), and the transmission of data to personal email addresses (26%). The deployment of shadow IT on work devices contributed to 15% of reported cyber incidents.
Worryingly, the study indicated that 26% of malicious actions were driven by employees seeking personal gain. It is worth noting that the financial services sector reported intentional malicious violations at 18%.
“Along with external cybersecurity threats, there are many internal factors that can lead to incidents in any organization. As statistics show, employees from any department, whether it’s non-IT specialists or IT Security professionals, can negatively influence cybersecurity both intentionally and unintentionally. That is why, it is important to consider methods of preventing information security policy violations when ensuring security, i.e. to implement an integrated approach to cybersecurity. According to our research, in addition to 26% of cyber incidents being caused by information security policy violations, 38% of breaches occur due to human mistakes. As the numbers are alarming, it is necessary to create a cybersecurity culture in an organization from the get-go by developing and enforcing security policies, as well as raising cybersecurity awareness among employees. Thus, the staff will approach the rules more responsibly and clearly understand the possible consequences of their violations,” said Alexey Vovk, Head of Information Security at Kaspersky.
To safeguard company infrastructures from the repercussions of information security policy violations, Kaspersky recommends employing cybersecurity products with Application, Web, and Device control features. Specific solutions such as Kaspersky Endpoint Security for Business, Kaspersky Endpoint Security Cloud, and other advanced features within the Kaspersky suite were highlighted for their efficacy in mitigating risks associated with insider threats. The study emphasizes the importance of proactive measures to address intentional and unintentional breaches, urging organizations to stay vigilant against evolving cyber threats.
View the full report and more insights on the human impact on cybersecurity in business via this link.