Two out of five employees hid cybersecurity incidents, Kaspersky Lab says

Two out of five employees have hidden IT security incidents in workplaces across the globe out of fear of punishment, a new report from Kaspersky Lab and B2B International said.
Enterprises with over 1,000 employees are mostly vulnerable to staff not reporting cybersecurity breaches at 45 percent, while companies with a staff complement from 50 to 999 experiencing a lower instance at 42 percent. Small enterprises, or those with 49 employees or less, have a greater control over their staff on IT matters as only 29 percent did not report cybersecurity breaches.
The report, titled Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within, was based on a survey of 5,000 businesses across the globe.
“Not only are employees hiding incidents but … uninformed or careless employees are one of the most likely causes of a cybersecurity incident — only second to malware. While malware is becoming more and more sophisticated each day, the surprising reality is that the evergreen human factor can pose an even greater danger,” the report noted.
“Forty-six percent of IT security incidents are caused by employees each year – that’s nearly half of the business security issues faced triggered by employee behavior.”
On average, ineffective cybersecurity costs industrial organizations up to $497,000 (SR1.86 million) a year, Kaspersky Lab estimated.
More than half of the companies affected by malicious software blamed it on inattentive staff and their lack cybersecurity awareness, while over a third blamed it social engineering schemes that intentionally tricked employees.
The problem of hiding incidents should be communicated not only to employees, but also to top management and HR departments,” said Slava Borilin, security education program manager at Kaspersky Lab. “If employees are hiding incidents, there must be a reason why.”
“In some cases, companies introduce strict, but unclear policies and put too much pressure on staff, warning them not to do this or that, or they will be held responsible if something goes wrong. Such policies foster fears, and leave employees with only one option – to avoid punishment whatever it takes. If your cybersecurity culture is positive, based on an educational approach instead of a restrictive one, from the top down, the results will be obvious.”