One quarter of all data breaches due to employees swerving security policies

Concept art showing locked packlocks with one opened coloured in red, signifying a data breach
(Image credit: Getty Images)

Many employees are deliberately circumventing their organization’s security procedures, according to new research from Kaspersky.

Analysis from the firm found that a considerable portion of cyber incidents are attributed to workers disregarding security protocols. In the last two years, for example, 26% of cyber incidents occurred after a staff member violated procedures. 

The issue has reached such a scale that the level of danger breaches of this nature pose to businesses is almost equal to that of external threats, such as hacking, Kaspersky warned.

Both IT and non-IT employees were found to be circumventing security procedures, the study found. Around 13% of cyber security incidents since 2021 were caused by intentional information security violations from IT security officers, for example. 

In terms of the specific actions causing these policy violations, the study revealed employees in 12% of polled organizations had intentionally used unauthorized devices to access sensitive data.

Additionally, other businesses reported 12% of their staff were found to have sent sensitive information to their personal email address. 

Potentially the most alarming finding from Kaspersky’s research is that 20% of malicious actions were made by staff for personal gain. 

This also implies another portion of intentional breaches were caused by employees who simply did not want to follow sometimes tedious security procedures.

Accidental breaches are still the most common security incidents affecting firms

Despite the concerning findings around intentional policy violations, the report shows the majority (38%) of cyber security incidents are still caused by accidental human error.

Breaking these incidents down by the actions that caused them, Kaspersky found downloading malware to be the leading cause of incidents by non-IT personnel, accounting for 28% of accidental breaches. 

A quarter of respondents said using weak passwords, or failing to update them regularly was to blame for the incident, and 24% said they were responsible for a breach when they visited an unsecured website. 

Accidental breaches were not solely caused by non-IT staff, however, 14% of cyber incidents caused by unintentional human error were attributed to senior IT professionals.

Ensuring all employees, regardless of department or seniority, have robust cyber hygiene habits is critical for an organization to implement an effective security posture, according to Kaspersky.


Red whitepaper cover with title and logo

(Image credit: Trend Micro)

Learn more about how the ransomware epidemic influences global supply chains


Alexey Vovk, Kaspersky’s head of information security, underlined the necessity of a holistic approach to security and compliance in addressing the risks posed by employee behavior. 

“Along with external cybersecurity threats, there are many internal factors that can lead to incidents in any organization. As statistics show, employees from any department, whether it's non-IT specialists or IT Security professionals, can negatively influence cybersecurity both intentionally and unintentionally,” he said. 

“That is why, it is important to consider methods of preventing information security policy violations when ensuring security, i.e. to implement an integrated approach to cybersecurity.

“As the numbers are alarming, it is necessary to create a cybersecurity culture in an organization from the get-go by developing and enforcing security policies, as well as raising cybersecurity awareness among employees. Thus, the staff will approach the rules more responsibly and clearly understand the possible consequences of their violations.” 

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.