Firms risk exposing workers' data to cybercriminals - report

Firms risk exposing worker data to cybercriminals - report

Nearly two-thirds or 62 per cent of businesses across the Middle East, Turkey and Africa risk exposing their employees’ personal information to cybercriminals by failing to train them on IT security.

This was the conclusion of a survey conducted by cybersecurity firm Kaspersky, which said only 38 percent of businesses offer cybersecurity training.

The 2021 Kaspersky Employee Wellbeing Report established that whereas stealing customer information is common, theft of personal employee data has increased.

In 2021 alone, more than 33 percent of organisations faced security breaches in their workers’ data. With 85 percent of cyberattack incidents attributed to human factors, cyber-experts agree that all employees in an organisation must be involved in countering cybersecurity threats for corporate cyber-defence to be effective.

The fact that 36 per cent of affected organisations have not disclosed a breach of personal employee data publicly points to a bigger problem, Kaspersky noted.

Of the rest, 57 per cent have shared information about an incident proactively and a paltry eight percent did so after information of their data breach had been leaked to the media.

“When an organisation faces a cyber-incident, correct crisis communications are no less important than response and recovery actions,” said Evgeniya Naumova, executive vice-president for corporate business at Kaspersky.

Data breaches

“There are ever-present risks of data breaches, and businesses should acknowledge that proactive disclosure is preferable to an exposé in the press.”

To deal with employee data leakages, Ms Naumova called for companies to consider developing a clear crisis plan and train employees in advance.

This way, in the event of such an incident, the use of appropriate, accurate and timely communications will not only minimise the potential reputation damage but also greatly mitigate direct financial losses, she said.

“Corporate communications professionals and IT security teams should collaborate to exchange information on cybersecurity insights and determine guides, tools, channels, and language that might be helpful to accurately handle both internal and external communications in case of an emergency,” she added.

More than seven in 10 (76 per cent) of companies that have implemented security education and training for their employees, have experienced at least one issue relating to the quality of these services.

This includes dissatisfaction with the high complexity of courses and the training provider’s lack of support or expertise.

Security infringements

In practice, companies regularly face informational security infringements (50 per cent), inappropriate IT resource use (53 per cent), and improper sharing of data via mobile devices (50 per cent).

Data breach prevention requires concerted action by everyone who interacts with a corporate system, as the individual could be a potential target for attackers.

But Kaspersky argues: “Employees that had not been provided with basic knowledge about the importance of protective measures cannot be expected to follow the rules which they do not know.”

To secure employees, companies are urged to combine reliable protective measures with maintaining security awareness among their teams.

The methods of attaining security safety include ensuring prompt patching and updating of software to prevent adversaries penetrating the system, implementing high-grade encryption for sensitive data and enforcing strong credentials and multi-factor authentication.

Kaspersky advised that companies should minimise the number of people with access to crucial data. 

But the best way of securing employees’ personal information is by equipping them with the cybersecurity skills they need.

[email protected]