It is not always a hacker sitting outside your company that makes relentless efforts to break into your computer networks and cause cyber incidents. It can be your employees too. Knowingly or unknowingly, they cause these ‘cyber incidents’ that might lead to enormous losses to an organisation. And the number is alarming – 64 per cent of all cyber incidents in the past two years were caused by human error.

Cybersecurity experts say that using weak passwords or clicking malicious links are some of the ways how they can expose an organisation’s computer network. “About 37 per cent of the cyber incidents were caused by deliberate malicious behaviour of employees,” a recent study by cybersecurity solutions company Kaspersky said.

The 2023 Human Factor survey, conducted by Arlington Research, interviewed 1,260 IT & IT security engineers in 19 countries, including India, Brazil, Chile, China, Colombia, France, and Germany.

“It should be noted that these causes are more likely to be accidental than deliberate. Only 8 per cent of incidents were caused by information security policy violation by non-IT employees,” it said.

However, the financial services sector is an anomaly in this regard. Information security policies violations by non-IT staffs in this industry are responsible for 22 per cent of cyber incidents, while 34 per cent reported intentionally malicious behaviour by both IT and non-IT employees as a significantly more common issue.

Financial gain

“One of the main reasons for employees to commit malicious actions against an employer is financial gain. Often it means stealing sensitive information with the intention of selling it to a third party: competitors, or even auctioning it on the dark web where cybercriminals buy data to attack businesses,” the report said.

“When employees have been fired, malicious behavior might take place out of revenge. This can be conducted even through connections with current staff, but the worst-case scenario occurs if they still can log into their work account remotely because the organisation hasn’t removed their ability to access its systems as soon as the employee left the company,” it pointed out.

Employees can also act maliciously when they are unhappy with their job or ‘to get even’ with an employer who didn’t give them an expected raise or a promotion, for instance.

Human factor

“The concept of the ‘human factor’ in cybersecurity needs to be looked at closely. In the past two years alone, more than three-quarters (77 per cent) of companies experienced at least one cybersecurity breach, with many enduring up to six in that period,” it said.

Accidental human error (38 per cent) accounted for more incidents than any other factor over the past two years. Most common of the errors they made is to download malware and to use weak passwords or not changing passwords often enough.

“Visiting unsecured websites and using unauthorised systems to share data are also some of the human errors that lead to cyber incidents,” the report said.

“Another interesting type of malicious action occurs when one or more insiders collaborate with an external actor to compromise an organisation,” it said.

How to plug the gaps

* Implementing cybersecurity training to raise awareness among employees.

* Investing in relevant training programs for IT security specialists.

* Controlling and limiting the use of personal devices and third-party applications and services.

* Limiting the access to the relevant employees.

* Updating software as and when updates are available