Text Size:


With Breaches, Companies Find They Have Met the Enemy, And He Is Us
July 10, 2017

By John Stewart

When fraudsters launch a cyber attack, they may not be their target’s worst enemy. Equally troublesome could be the business’s own staff, according to results of a survey of 5,000 companies around the world released Monday by Kaspersky Lab, a Moscow-based global cybersecurity firm.

It turns out employees not only unwittingly enable attacks, they also make them worse by keeping their mouths shut when they happen. Fearing retribution, employees hid security incidents in 40% of companies surveyed. The larger the business, the greater the risk staffers would remain mum. Among businesses with 49 or fewer employees, the incident rate was 29%. But in enterprises, defined as companies with more than 1,000 employees, it was 45%, It wasn’t much better, at 42%, among businesses with 50 to 999 employees.

Covering up only makes breaches and other cyber attacks worse, according to Kaspersky. It delays response that could have stopped a breach in its tracks and also leaves less time for security professionals to decide on the most effective counter-measure, the company says. The survey was conducted by B2B International Inc., a White Plains, N.Y.-based research firm.

Kaspersky argues companies should be taking this internal risk more seriously. “The problem of hiding incidents should be communicated not only to employees, but also to top management and [human-resources] departments,” said Slava Borilin, security education program manager at Kaspersky, in a statement.

Companies should also recognize why staffers are keeping quiet. In many cases, it’s because they fear they’ll be fired or suffer other consequences, Kaspersky says. “In some cases, companies introduce strict, but unclear policies and put too much pressure on staff, warning them not to do this or that, or they will be held responsible if something goes wrong,” said Borilin. “Such policies foster fears, and leave employees with only one option — to avoid punishment whatever it takes.”

Instead, he advises, companies should adopt an “educational” approach, reinforcing the idea that reporting an incident promptly helps stop or mitigate data loss.

The company also points out how staffers are often a criminal’s primary target. Fraudsters send so-called phishing emails to specific persons within an organization, hoping to gull them into opening an attachment that will unleash malware or ransomware. In some cases, the emails are cleverly disguised as coming from a top executive, with an “order” to execute a payment or withdrawal. Unwitting employees were involved in malware infections in 53% of the incidents studied in the Kaspersky survey.

“Cybercriminals often use employees as an entry point to get inside the corporate infrastructure. Phishing emails, weak passwords, fake calls from tech support – we’ve seen it all,” said Kaspersky’s David Jacoby, a security researcher, in a statement. “All you need is someone inside, who doesn’t know about, or pay attention to, security.”

The survey did find that companies are starting to wake up to the risk posed by unaware and closed-mouth employees. It found that 35% of companies are planning to improve security through new or more staff training programs, second only to “more sophisticated” security software, at 43%.

Share |


Read Digital Transactions Online
read more