IT security, the human factor

IT security, the human factor

According to a Kaspersky Lab study, 88% of employees have no idea what their company’s IT security policy actually involves. Such a lack of awareness of security rules exposes companies—especially SMEs—to cyber threats in a highly dangerous way.

While cyber threats are becoming more sophisticated every day, the vast majority of employees are unaware of the IT security strategies implemented within their organization and of the rules in place to ensure their own protection. Indeed, although 49% of surveyed employees say they consider protection against cyber threats within their company to be a shared responsibility, only 12% report being fully aware of their company’s security policies, according to the survey results.

These findings highlight the fact that employees represent a major security risk factor within organizations, especially as they are responsible for 46% of security incidents each year, according to a previous Kaspersky study. Yet employees are also a key element in strengthening security, and companies must implement strong awareness campaigns to protect themselves against cyber threats.

Out of nearly 8,000 employees surveyed by Kaspersky, 24% believe that their company has no formal security policy.

This lack of awareness is particularly concerning for SMEs, which in most cases do not have dedicated IT security teams and share security responsibilities between IT and non-IT staff, Kaspersky further notes. SMEs are generally the most exposed to threats, particularly ransomware, because they lack both the personnel and financial resources needed to secure their IT infrastructure.

According to the study, the employees most at risk are those who often have access to critical company data: executives, HR managers, and finance specialists. If basic cyber hygiene practices—such as password changes or software updates—are not followed by all employees, the entire organization can potentially be put at risk.

According to Cédric Mauny, Head of Cybersecurity Services at Proximus NXT, “the issue of an uninvolved, untrained, or simply unaware workforce can be a major challenge for companies where cybersecurity culture is still in development. Not only can employees themselves fall victim to cybercrime, but they also have a duty to protect their organization from these threats. In this regard, companies must train their staff and implement security solutions that are both effective and easy to use in order to ensure adoption across the entire workforce. Implementing security on a daily basis should no longer require being a cybersecurity expert. The responsibility of experts is to make security accessible. The best tool will never be used—even by the most engaged employees—or worse, it will be bypassed if it is poorly designed or misused.”

Only 12% of employees say they are fully aware of the IT security policies and rules in place within their company. – Kaspersky Lab, 2018

24% of employees believe that their organization has no formal security policy. – Kaspersky Lab, 2018