46% of South African companies prefer not to disclose data breaches in which their employees’ personal information was leaked, according to Kaspersky’s Employee Wellbeing 2021 report.
The cybersecurity solutions provider said that while high-profile data breaches were mainly associated with stealing customer information, personal employee data was also very popular with cybercriminals.
20% of the organisations Kaspersky surveyed faced incidents wherein workers’ data was compromised.
Kaspersky executive vice president for corporate business, Evgeniya Naumova, said the report showed that many of these companies did not realise that crisis communications were no less critical than response and recovery actions during a cybersecurity incident.
“There are ever-present risks of data breaches, and businesses should acknowledge that proactive disclosure is preferable to an exposé in the press,” Naumova said.
“The fact that 46% of affected organisations haven’t disclosed a breach of personal employee data publicly is a sign that the problem is bigger than it seems.”
Of the remaining South African companies that participated in Kaspersky’s survey, 50% shared information about an incident proactively, and 4% did so after it had been leaked to the media.
According to Naumova, timely communications don’t just minimise the potential reputational damage but can also significantly mitigate direct financial losses.
Naumova said corporate communications professionals and IT security teams should collaborate to exchange information on cybersecurity insights.
They should also determine guides, tools, channels, and language that might be helpful to accurately handle both internal and external communications in case of an emergency.
Over half of SA companies give no security education
She called on companies to develop a clear crisis plan and train employees in advance regarding cybersecurity.
The research showed that less than half of South African organisations had already implemented security education and training to provide employees with crucial information.
“Employees that had not been provided with basic knowledge about the importance of protective measures can’t be expected to follow the rules,” Kaspersky said.
“Technology is important to prevent cyber attacks, but human factors still play a crucial role, being tied to 85% of incidents.”
“Breach prevention requires concerted action by everyone who interacts with a corporate system and could be a potential target for attackers.”
“In 2021, compliance of staff and dealing with insufficient end-user security culture is one of the top three biggest concerns for businesses when it comes to IT security — 26% of respondents cited it among the most alarming issues,” the company added.
To better secure employees, companies should combine reliable protective measures with maintaining security awareness among their teams by ensuring the following:
- Prompt patching and updating of software to prevent adversaries from penetrating the system.
- Implementing high-grade encryption for sensitive data and enforcing strong credentials and multi-factor authentication.
- Using effective endpoint protection with threat detection and response capabilities to block access attempts, and managed protection services for efficient attack investigation and expert response.
- Minimising the number of people with access to crucial data.
- Equipping your employees with the cybersecurity skills they need.
- Work with globally-recognised providers that can ensure an efficient learning process.