Though organisations often disclose incidents of data breaches publicly, mainly due to regulatory and compliance norms. But when there is personal employee data leakage, they least do it revealed Kaspersky’s new report.
Kaspersky Employee Wellbeing 2021 report stated that organizations regularly face employee data leakage. Almost half of these organisations (45%) prefer not to disclose employee data leakage incidents publicly. At the same time, staff may lack basic cybersecurity knowledge to protect themselves as only 44% of businesses offer IT security training.
A successful corporate cyber-defence is impossible without employees at all levels joining forces. Technology is key to preventing cyber attacks, but human factors still play a crucial role – being tied to 85% of incidents.
Kaspersky’s global survey of IT business decision-makers provides insights into how well organisations and workers collaborate and protect themselves, their clients and each other. Besides data breaches involving stealing customer information, personal employee data leakage is very popular with cybercriminals.
In 2021, 35% of organisations weren’t able to provide complete security of their workers’ data and faced incidents involving this type of information. It is surpassed only by customers’ personally identifiable data (43%). The fact that 45% of affected organisations haven’t disclosed a breach of personal employee data publicly is a sign that the problem is bigger than it seems.
As for the rest, 43% of organisations have shared information about an incident proactively. And 12% of organisations did so only after was leaked to the media. Compared to corporate or customer data breaches.
The employee data leakage type of leak compared to corporate or customer data breaches is the least frequently disclosed.
According to Evgeniya Naumova, Kaspersky’s EVP – Corporate Business, when an organisation faces a cyber-incident, correct crisis communications are no less important than response and recovery actions. “There are ever-present risks of data breaches, and businesses should acknowledge that proactive disclosure is preferable to an exposé in the press,” said Naumova.
“Appropriate, accurate, and timely communications however, not only minimize the potential reputational damage but can also greatly mitigate direct financial losses,” added Naumova.
To avoid panic or confusion, she advised that a company needs to consider developing a clear crisis plan and train employees in advance. Corporate communications professionals and IT security teams should collaborate to exchange information on cybersecurity insights.
“Besides they should determine guides, tools, channels, and language that might be helpful to accurately handle both internal and external communications in case of an emergency,” she added.
Lack of external knowledge of potential cybersecurity incidents is not usually mitigated with internal efforts. Only 44% of organisations have already implemented security education and training to ensure that employees are provided with crucial information., as per the study.
In addition, more than half (64%) of those companies have experienced at least one issue relating to the quality of these services. This includes dissatisfaction with the high complexity of courses and a lack of support or expertise on the part of the training provider.
Employees can’t be expected to follow the rules if they lack the basic knowledge of protective measures and their importance.
In 2021, compliance of staff and dealing with insufficient end-user security culture is one of the top three biggest concerns for businesses when it comes to IT security – 42% of respondents cited it as the most alarming issue.
In practice, companies regularly face informational security infringements (41%), inappropriate IT resource use (42%), and improper sharing of data via mobile devices (38%).