The security situation in German companies is increasingly threatened by careless and criminal employees. A study entitled "Cybersecurity in Germany: Better protection of people and data" reveals the many forms of misconduct displayed by employees in German companies.
In 41 percent of the companies surveyed, their own negligent or careless employees were the cause of data loss in the last 12 months. For example, they opened email attachments infected with malware, accessed fake websites and filled out fake online forms, or disclosed sensitive information. In 30 percent of the cases, employees with malicious or criminal intentions were the main cause of the data breach suffered.
Training is not enough
"82 percent of the companies surveyed conduct an ongoing training program to raise employee awareness of cybersecurity threats," comments Proofpoint's Bert Skaletski. “Such training courses are an essential part of any promising IT security strategy. You can significantly reduce the risk of ignorant or careless employees and make them aware of the dangers of phishing, for example. However, training alone cannot provide adequate protection against employees with dishonest intentions. Instead, companies must take technical measures to counteract malicious or criminal activities. This study makes it clear that there is a significant lack of such measures. Only 51 percent of the companies surveyed have technology in place to specifically combat insider risk, and only 44 percent have a specific plan to respond to insider threats.”
Take the human factor seriously
According to the World Economic Forum’s Global Risks Report 95, 2022 percent of successful cyber attacks are only made possible by human action. People are therefore the most important target for cybercriminals who want to damage companies. And in most cases, criminals don't break in at all. You are let in by an accidental click or a reused password. 82 percent of companies are now addressing this issue with cybersecurity training programs. However, they are still not doing enough against malicious employees, even though former employees took sensitive data with them in 24 percent of data breaches. In the age of modern work, i.e. regardless of where you are, these cases are particularly difficult to control and contain. With the traditional network perimeter gone, the old approach to data security just doesn't work anymore. Organizations need to invest in information protection and insider risk solutions that protect the modern network edge—from the endpoint to cloud applications, email, and the web.
Central study results
The study provides a number of other revealing findings:
- In 41 percent of the companies surveyed, their own negligent or careless employees were the cause of data loss. There are clear differences depending on the size of the company: In large companies with more than 5.000 employees, this problem occurs much more frequently (52 percent) than in companies with 1.000 to 2.000 employees (34 percent).
- All of the banks and insurance companies surveyed raise awareness of their employees with an ongoing training program for the topic of cyber security. On the other hand, only around 59 percent of retail companies run such a program.
- Clicking malicious links (46 percent) and downloading unknown attachments and files (41 percent) are the most common employee behaviors that lead to IT security incidents.
- Other high-risk employee behaviors include using unknown USB media (30 percent), sharing credentials with others (27 percent), sharing company devices with family and friends (22 percent), and connecting to unsecured private or public Wi-Fi -Fi networks (20 percent).
- German companies are currently training their employees on numerous relevant IT security topics. More than two-thirds (68 percent) of organizations include data protection in their training, and 56 percent have email-based threats on their curriculum.
- Given that email is the number one threat vector, it's surprising that it doesn't feature prominently as a topic in awareness training. In companies with 1.000 to 2.000 employees, email-based threats such as phishing and BEC (Business Email Compromise, also known locally as "CEO fraud") form part of the cybersecurity curriculum for only 46 percent.
- Only around 36 percent of companies train their employees on cloud security.
About Proofpoint Proofpoint, Inc. is a leading cybersecurity company. The focus for Proofpoint is the protection of employees. Because these mean the greatest capital for a company, but also the greatest risk. With an integrated suite of cloud-based cybersecurity solutions, Proofpoint helps organizations around the world stop targeted threats, protect their data, and educate enterprise IT users about the risks of cyberattacks.