I’ve written a lot over the years about the ways employees contribute to an organization’s cybersecurity failings. We’ve seen insider threats, both malicious and accidental. We’ve seen the need for better security training and education, as recently evidenced by a Wombat study that found that 30 percent of employees don’t even know what phishing is – and you certainly can’t prevent a malware infection or security incident if employees don’t realize fake email versus legitimate email and the damage that can be done.
Now, Kaspersky Lab revealed another way employees are hurting their company’s security posture: One in four are hiding security incidents from their employers. This “hiding” behavior is the biggest challenge for larger-sized businesses, with 45 percent of enterprises experiencing employees hiding cybersecurity incidents, compared to 42 percent of SMBs. In very small businesses, with fewer than 50 employees, the percentage drops considerably to 29 percent, but then, I’d think it would be a lot more difficult to hide your tracks if you only have a handful of employees.
When employees hide security incidents, they can cause a serious amount of damage to the organization. It could lead to breaches being larger than they would have been if reported more quickly, and that leads to a greater compromise of data. When the incident isn’t reported immediately, it doesn’t allow the security team to properly and efficiently mitigate the problem.
The need to speak out and stop hiding security incidents must be reinforced from the highest management levels down to anyone who has access to the network, including interns and temp employees, according to Slava Borilin, security education program manager at Kaspersky Lab, who added in a formal statement:
If employees are hiding incidents, there must be a reason why. In some cases, companies introduce strict, but unclear policies and put too much pressure on staff, warning them not to do this or that, or they will be held responsible if something goes wrong. Such policies foster fears, and leave employees with only one option — to avoid punishment whatever it takes. If your cybersecurity culture is positive, based on an educational approach instead of a restrictive one, from the top down, the results will be obvious.
Yet, I have to wonder if these employees are intentionally hiding security incidents or if they simply don’t know. If you have a third of the employee base who can’t identify a phishing email, how can you be sure they would know to report it if they clicked on a malicious link and downloaded malware to the system? So are those who aren’t reporting incidents those who fall into that category of not understanding what a security threat looks like?
So again, it comes down to education and training. But let’s add another layer here: IT departments and upper management need to create an environment where employees feel comfortable about admitting they made an error that creates a potential security incident. We all make mistakes, after all. I’m all for employees being encouraged to question everything and IT and security creating an atmosphere of trust. Without it, employees will continue to be insider threats and unwilling to report it.