One in Four Employees Hide Security Incidents

Sue Marquette Poremba

I’ve written a lot over the years about the ways employees contribute to an organization’s cybersecurity failings. We’ve seen insider threats, both malicious and accidental. We’ve seen the need for better security training and education, as recently evidenced by a Wombat study that found that 30 percent of employees don’t even know what phishing is – and you certainly can’t prevent a malware infection or security incident if employees don’t realize fake email versus legitimate email and the damage that can be done.

Now, Kaspersky Lab revealed another way employees are hurting their company’s security posture: One in four are hiding security incidents from their employers. This “hiding” behavior is the biggest challenge for larger-sized businesses, with 45 percent of enterprises experiencing employees hiding cybersecurity incidents, compared to 42 percent of SMBs. In very small businesses, with fewer than 50 employees, the percentage drops considerably to 29 percent, but then, I’d think it would be a lot more difficult to hide your tracks if you only have a handful of employees.

When employees hide security incidents, they can cause a serious amount of damage to the organization. It could lead to breaches being larger than they would have been if reported more quickly, and that leads to a greater compromise of data. When the incident isn’t reported immediately, it doesn’t allow the security team to properly and efficiently mitigate the problem.

The need to speak out and stop hiding security incidents must be reinforced from the highest management levels down to anyone who has access to the network, including interns and temp employees, according to Slava Borilin, security education program manager at Kaspersky Lab, who added in a formal statement:

If employees are hiding incidents, there must be a reason why. In some cases, companies introduce strict, but unclear policies and put too much pressure on staff, warning them not to do this or that, or they will be held responsible if something goes wrong. Such policies foster fears, and leave employees with only one option — to avoid punishment whatever it takes. If your cybersecurity culture is positive, based on an educational approach instead of a restrictive one, from the top down, the results will be obvious.

Yet, I have to wonder if these employees are intentionally hiding security incidents or if they simply don’t know. If you have a third of the employee base who can’t identify a phishing email, how can you be sure they would know to report it if they clicked on a malicious link and downloaded malware to the system? So are those who aren’t reporting incidents those who fall into that category of not understanding what a security threat looks like?

So again, it comes down to education and training. But let’s add another layer here: IT departments and upper management need to create an environment where employees feel comfortable about admitting they made an error that creates a potential security incident. We all make mistakes, after all. I’m all for employees being encouraged to question everything and IT and security creating an atmosphere of trust. Without it, employees will continue to be insider threats and unwilling to report it.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba


Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Jul 20, 2017 12:51 PM Megan Megan  says:
Very insightful and forward-thinking article on this subject. We’ve also seen many of these concerns trending globally. Education, training and strong leadership are key aspects to building a strong trust atmosphere, where employees feel like they can approach the subject with upper management. No more hiding. While we agree with your findings, we’d also like to add that important tools can aid in the training, monitoring and reinforcement process. An employee monitoring software integrated into the daily activities of the company would secure the server against insider threats. This user-based approach logs user data providing tangible examples during training processes, which is a great education tool. Further, it’s one more layer of defense against cyber attacks by putting more watchful eyes on the system. Thanks for sharing. We enjoyed reading. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.