Data leak of personal employee information is the least disclosed type of data breach, according to a study by cybersecurity firm Kaspersky.
According to the Kaspersky Employee Wellbeing 2021 report, while organisations regularly face employee data leakage, 45 per cent of them prefer not to disclose these incidents publicly.
Kaspersky’s global survey of IT business decision-makers provided insights into how well organisations and workers collaborate and protect themselves, their clients and each other.
Furthermore, the staff may lack basic cybersecurity knowledge to protect themselves as only 44 per cent of businesses offer IT security training.
"A successful corporate cyber-defense is impossible without employees at all levels joining forces," the report said.
Human factors
Technology plays an important role in preventing cyberattacks, however, human factors still play a crucial role, being tied to 85 per cent of incidents.
"Despite high-profile cases of data breaches being mainly associated with stealing customer information, personal employee data is very popular with cybercriminals as well," it said.
In 2021, over a third (35 per cent) of organisations weren’t able to provide complete security of the data of their workers and faced incidents involving such information. According to the survey, it is surpassed only by customers’ personally identifiable data (43 per cent).
"The fact that 45 per cent of affected organisations haven’t disclosed a breach of personal employee data publicly is a sign that the problem is bigger than it seems," the report said.
As for the rest, 43 per cent have shared information about an incident proactively and 12 per cent said that they disclosed breaches after it has been leaked to the media.
"This shows that this type of leak is the least frequently disclosed, compared to corporate or customer data breaches," as per the report.
“When an organisation faces a cyber-incident, correct crisis communications are no less important than response and recovery actions. There are ever-present risks of data breaches, and businesses should acknowledge that proactive disclosure is preferable to an exposé in the press,” said Evgeniya Naumova, Executive Vice President, Corporate Business, at Kaspersky.
“Appropriate, accurate, and timely communications, however, not only minimise the potential reputational damage but can also greatly mitigate direct financial losses. To avoid panic or confusion, a company needs to consider developing a clear crisis plan and train employees in advance. Corporate communications professionals and IT security teams should collaborate to exchange information on cybersecurity insights and determine guides, tools, channels, and language that might be helpful to accurately handle both internal and external communications in case of an emergency,” she added.
Organisations often fail to mitigate the lack of external knowledge about potential cybersecurity incidents by internal efforts.
Cyber security education
As per the research, only 44 per cent of organisations have already implemented security education and training to ensure that employees are provided with crucial information.
Additionally, 64 per cent of those organisations have experienced at least one issue related to the quality of these services including dissatisfaction with the high complexity of courses and a lack of support or expertise on the part of the training provider.
"Employees that had not been provided with basic knowledge about the importance of protective measures, can’t be expected to follow the rules. In 2021, compliance of staff and dealing with insufficient end-user security culture is one of the top three biggest concerns for businesses when it comes to IT security – 42 per cent of respondents cited it among the most alarming issues," as per the report.
In practice, companies regularly face informational security infringements (41 per cent), inappropriate IT resource use (42 per cent), and improper sharing of data via mobile devices (38 per cent).
Companies should take combined reliable protective measures with maintaining security awareness among their teams to protect employees.
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.