Employees lack IT security policy awareness: Kaspersky Lab

Read time 3min 20sec
nly 18% of employed respondents are fully aware of the IT security policies and rules set in the organisations they work for, says Kaspersky Lab.
nly 18% of employed respondents are fully aware of the IT security policies and rules set in the organisations they work for, says Kaspersky Lab.

A lack of IT security awareness among Middle East, Turkey and Africa (META) employees, remains a worrying reality for businesses in the region.

This according to a recent study titled: "Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within", conducted by Kaspersky Lab in partnership with research firm, B2B International.

The research found that in the META region, only 18% of employed respondents are fully aware of the IT security policies and rules set in the organisations they work for. This, combined with the fact that 40% of employees consider protection from cyber threats a shared responsibility, presents additional challenges when it comes to setting the right cyber security framework, according to the report.

The study of 7 993 full-time employees, asked about policies and responsibilities for corporate IT security. It also revealed that 28% of employees believe there are no established policies in their organisations at all.

"Interestingly, it seems that ignorance of the rules is no excuse, as around half (49%) of the respondents think all employees, including themselves, should take responsibility for protecting corporate IT assets from cyber threats. This discrepancy could be particularly dangerous for smaller businesses, where there is no dedicated IT security function and responsibilities are distributed among IT and non-IT personnel," adds Kaspersky.

Neglecting even basic requirements, such as changing passwords or installing necessary updates, could jeopardise overall business protection, warn Kaspersky Lab experts. Top management, HR and finance specialists who have access to their company's critical data are usually most at risk of being targeted.

"The issue of unaware staff can be a major challenge to overcome, especially for smaller businesses where a cyber security culture is still being developed. Not only can employees themselves fall victims of cyber threats, but they are also obliged to guard their company from those threats in the first place. In this regard, businesses should pay attention to educating staff and introducing easy to use and manage, but still powerful solutions that make this achievable for those who are not experts in IT security," explains Vladimir Zapolyansky, head of SMB Business at Kaspersky Lab.

To deal with this problem, small and medium-sized businesses would benefit from regular IT security awareness training for staff and from products tailored to their specific needs.

The IBM 2016 Cyber Security Intelligence Index found that 60% of all attacks were carried out by insiders within an organisation. Of these attacks, three-quarters involved malicious intent, and one-quarter involved inadvertent actors.

According to Forrester's Understand The State Of Data Security And Privacy: 2015 To 2016 report, in the past 12 months, the top three most common breaches were: internal incident within an organisation (39%), external attack targeting an organisation (27%), and external attack targeting a business partner/third-party supplier (22%). Also personally identifiable information was one of the top two data types compromised most in a breach, revealed the research.

Understanding common insider threat profiles remains an essential step in helping organisations eliminate damage before it happens, says Virginia Satrom, social media manager at Forcepoint.

"Organisations should put all users through detailed training which educates them on best practices and how to recognise an adversary's stealth techniques. At the same time, teach them how to spot possible malicious insiders through the classic 'trouble signs' they project. On the tech side, organisations can complement their firewall and anti-virus tools with insider threat-centric ones related to authentication/access control, data loss prevention and user behaviour analysis," she advises.

See also