IT Security, the human factor

IT Security, the human factor

88% of employees have no clue about their organization's IT security policies, according to a survey by Kaspersky Lab. Such a lack of awareness about company security rules could open enterprises and SMBs up to cyberthreats.

Though cyberthreats grow more sophisticated by the day, the vast majority of employees are not aware of their organization's information security policies and rules that are in place to keep them safe. While 49% of employees surveyed say they consider protection from cyberthreats a shared responsibility in their company, only 12% affirm that they are fully aware of their company's IT security policies, according to the findings of the survey.

These results highlight the fact that employees remain a top security risk factor within organizations, as they are responsible for 46% of IT security incidents each year, according to a previous Kaspersky Lab survey. However, employees are also the key to strengthening an organization's security posture and enterprises must have strong awareness campaigns in place to remain cybersecure.

Of the nearly 8,000 employees surveyed, 24% say they believe their organization does not have any established IT security policies.

This lack of awareness is of particular concern for SMBs, who often lack dedicated IT security teams, and share cybersecurity responsibilities among IT and non-IT workers, Kaspersky Lab note in the report. SMBs tend to be most vulnerable to threats such as ransomware, since they lack the staff and financial resources to secure their IT infrastructure.

Based on the report, employees most at risk tend to be executives, HR leaders, and finance specialists, who tend to have access to their company's critical data. If the most basic cyber hygiene practices - such as changing passwords or installing updates - are not followed by all employees, it could potentially put the entire organization in danger of a breach.

According to Cédric Mauny, Head of Cybersecurity Services chez Telindus, "the issue of uninvolved, untrained or simply unaware staff can be a major challenge to overcome, especially for smaller businesses where a cybersecurity culture is still being developed. Not only can employees themselves fall victim to cyberthreats, but they are also obliged to guard their company from those threats in the first place. In this regard, businesses need to educate staff and introduce easy-to-use - but still effective - security solutions that make managing protection achievable for those who are not experts in IT security. It is no longer necessary to be an IT security expert to implement day-to-day security. The responsibility of the latter is to make security as accessible as possible. The best tool will never be exploited even by the most involved employees - or worse, it will be bypassed -if it is misused."

Only 12% of employees claim to be fully aware of their organization's IT security policies and rules. — Kaspersky Lab, 2018

24% of employees believe their organization does not have any established security policies. — Kaspersky Lab, 2018