A recent study conducted in the US and Canada has revealed that intentional security protocol violations by employees have accounted for 33% of cyber incidents in businesses over the past two years. This percentage is higher than the 26% attributed to external hacking attempts. The study emphasizes the significant role played by both IT and non-IT employees in these intentional policy violations.


IT security officers accounted for 8% of the incidents [1], while other IT professionals and non-IT colleagues caused 18% and 10% respectively [1]. The most common employee behavior that led to incidents was deliberately breaking rules or failing to follow required actions [1]. Weak passwords and failure to change them in a timely manner accounted for 40% of incidents [1], while visiting unsecured websites and not updating software or applications caused 23% and 21% respectively [1]. Other reported incidents included unauthorized use of systems for data sharing, accessing data through unauthorized devices [1] [2], and sending data to personal email addresses [1]. Additionally, 27% of incidents were committed by employees for personal gain [1] [3]. The financial services sector reported a higher percentage of intentionally malicious policy violations at 34% [1].


This study highlights the importance of fostering a culture of cybersecurity within companies and developing and enforcing security policies to raise awareness among employees [3]. It is crucial to address the issue of intentional security protocol violations by employees [3], as they have a significant impact on cyber incidents. By implementing measures such as educating employees about the importance of strong passwords, regularly updating software, and discouraging unauthorized use of systems, businesses can mitigate the risk of such incidents. Furthermore, the findings of this study have implications for future cybersecurity strategies, emphasizing the need for ongoing monitoring, training, and enforcement to ensure the protection of sensitive data and prevent cyber threats.


[1] https://vmblog.com/archive/2023/11/22/kaspersky-research-confirms-information-security-violations-by-staff-are-almost-equally-as-common-as-cybersecurity-breaches.aspx
[2] https://www.itsecurityguru.org/2023/11/22/employees-breaking-security-policies-just-dangerous-as-being-hacked-kaspersky-global-study-shows/
[3] https://www.infosecurity-magazine.com/news/employee-violations-cause-26-cyber/