Human IT vulnerability

Targeted attacks in particular often target employees' lack of care or attention. The reason: Employees are the easiest gateway for highly technical and specialized attacks on companies.

According to the Kaspersky study According to the study "Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within", 28% of all targeted attacks last year were carried out via phishing or social engineering. For example, an email contains a malicious file disguised as a vendor invoice; when opened by a careless accountant, the corporate network may already be infected.

The attack spectrum

Cyber criminals are often opened the doors to a company's infrastructure. The spectrum of attacks ranges from phishing e-mails to passwords that are too weak to supposed calls from IT support. Another scam is apparently lost and compromised memory cards that are deliberately placed in the company parking lot or secretary's office and then found and read by well-meaning colleagues.

A question of corporate culture

Employees hold back on reporting cybersecurity incidents for fear of potential consequences - 40% of companies do so, according to the study. The consequences are serious, because security experts need to identify cybersecurity incidents as quickly as possible in order to adequately combat them.

Instead of threatening with strict rules and consequences, companies should therefore promote awareness and a willingness to cooperate. "Cybersecurity is not just a question of technology, but also a question of corporate culture. Top management and HR departments should also be aware of this," said Slava Borilin, Security Education Program Manager at Kaspersky Lab. "When employees cover up incidents, it's for good reasons: too strict and unclear policies, too much pressure, or looking for someone to blame. All of these lead employees to cover up the truth out of fear. Far better results come from a positive cybersecurity culture that emphasizes awareness building and information flow, and is exemplified by senior management."

The royal road to avoidance

Companies are now aware of the importance of employees for their security. One in two (52%) sees staff as the weakest link in the IT security chain and one in three companies (35%) would like to implement further training measures for this reason. This is the second most common measure for more security after the use of better software (43%).

The silver bullet for preventing human cybersecurity failures is a combination of technical and personnel measures:

• Personnel measures: Safety training, clearly and concisely formulated guidelines, further training and motivation measures, and a positive working atmosphere.

• Technological solutions: Endpoint security solutions can be used to contain human error by employees. Preconfigured protection measures and advanced security settings can also be used to meet the special requirements of small and medium-sized enterprises and corporate groups.

Source: Kaspersky Lab