WOBURN, Mass., Nov. 15, 2023 -- Kaspersky today shares new insight into the role the human factor plays when it comes to data breaches, and the underlying reasons it is still a challenge for employees in SMB organizations to adopt better cyber security habits at work.
According to survey results, the main factor (38%) preventing employees from adopting new cybersecurity behaviors is a lack of awareness or knowledge of best practices. Further, psychological barriers such as the fear of making mistakes or being judged by colleagues is the top (39%) reason why survey participants reported they do not change their cybersecurity behaviors.
According to Gartner, 74% of all data breaches involve some human element. This begs the question of what more can be done to prevent human-driven cyberattacks. To gain a deeper understanding of why employees continue to be challenged by implementing better cybersecurity hygiene, Kaspersky conducted a survey targeting IT decision makers in the United States and Canada to get to the root cause of the problem, and further, discuss from an industry standpoint what can be done to prevent future attacks.
Security trainings and awareness are the most common ways IT security teams educate employees on best practices and risks of cyber breaches, with 58% of respondents reporting their organization continues to provide cybersecurity training and awareness programs. However, the survey results found that only 15% of IT decision makers have full confidence that employees would be able to implement better cyber hygiene.
The disconnect between knowledge and a change in behavior remains in the underlying psychological barriers that employees endure in their daily routines. The survey uncovered that the three biggest factors contributing to employees' resistance or reluctance to change their cybersecurity behaviors in the workplace were the perception of inconvenience or time constraints (37%), lack of leadership support or enforcement (37%) and the fear of change or unfamiliarity (35%).
In addition, the perceived consequences of cyberattacks against a company as a result of employee negligence was also a contributing factor. Respondents said they only perceive the consequences of not following cybersecurity guidelines in their organization to have moderate consequences, which only somewhat influences their behavior (38%). This highlights an important lack of understanding between IT decision makers and non IT employees, as it is clear they do not recognize the long term impact a cyberattack can have against their organization.
"While IT security teams do their best to train employees on cybersecurity best practices, it is clear that traditional trainings and awareness programs are not enough," said Trevor Serebro, MSP and distribution territory channel at Kaspersky. "Our job as cybersecurity professionals is to enhance the 'human firewalls' within our organizations to mitigate cyberattacks, and the best way to do this is to adopt a corporate culture of security awareness, consciousness and responsibility among employees to lessen future human factor attacks."