A staggering 14 percent of cyber incidents are due to senior IT security staff errors, compounded by a further 15% of errors caused by other IT staff. According to a new study published by cybersecurity firm Kaspersky, over the last two years, 77 percent of companies experienced between one and six cybersecurity breaches, with IT security staff being directly culpable for almost a third of all cybersecurity breaches.
Only four factors could be responsible for such rampant cybersecurity failings: gross incompetence at a senior level, a lack of financial resources, an acute shortage of sufficiently skilled personnel, or dishonest staff. While 18 percent of respondents blamed a skills shortage for their shortcomings, the Kaspersky study firmly lays the blame on careless and corrupt employees.
The study reports that over a quarter (26 percent) of all cyber incidents in the past two years were caused by employees’ intentional information security policy violations. These internal actions reflect almost the same level of danger to business security as hacking, which is what 30% of respondents reported.
“Compared to a global average of just 8%, the extent of incidents caused by information security policy violations by non-IT employees sits at an alarming 22%. This is compounded by 34% reporting that intentionally malicious behavior is a significantly more common issue in financial services,” says Kaspersky.
While additional investment in cybersecurity, better-qualified staff, and regular cybersecurity briefings for all relevant team members are an essential part of the solution, they do little to directly address the rapidly growing problem of the rogue employee. Recent examples include Western Union admitting to criminal violations, including failing to maintain an effective anti-money laundering program and aiding and abetting wire fraud.
A ransomware gang might plant an employee
According to a survey conducted last year amongst 600 parents across the UK by Censuswide on behalf of International Cyber Expo in autumn 2022, forty percent of parents believed their children will become cybercriminals purely as a result of a chronic lack of cash during the current cost-of-living crisis. This expectation is fuelled by the fact that arrest rates for cybercriminals are far lower than those for traditional offline crimes and that the relatively small chance of being caught is likely to further tempt increasingly large numbers of broke young professionals into a criminal life of easy money.
The cybersecurity industry also fondly imagines that, by supplying jobs, it is steering young hackers away from a life of cybercrime. While this is doubtless true in many cases, there are a number of roles within a company, many at a relatively junior level, that could enable a rogue employee to steal the keys to the kingdom in the form of access codes enabling the threat actor to bypass the company’s cyber defenses. Or a well-organized ransomware gang might plant such an employee and then make them the ‘innocent’ victim of a convincing spear-phishing attack. As all the employee would have to do is to click on a seemingly innocent link appearing to come from a trusted friend or colleague, they would have plausible deniability that they were guilty of purposefully committing any crime.
