Employees remain a top cybersecurity risk factor within the enterprise, according to a Kaspersky Lab and B2B International report released Monday, as they are responsible for some 46% of IT security incidents each year. Further, 40% of businesses globally said that employees hide IT security incidents to avoid punishment.

This issue is most prominent in large businesses–45% of enterprises with more than 1,000 employees experience workers hiding security incidents, compared to 42% of SMBs, and 29% of very small businesses (VSBs).

Uninformed or careless employees are one of the top causes of cybersecurity incidents, second only to malware, the report found.

When workers hide security incidents, it can lead to dangerous consequences for businesses and increase the overall damage caused by the incident, the report noted. A single, unreported threat could lead to a large breach. Security teams must be able to quickly identify these threats in order to mitigate them.

“The problem of hiding incidents should be communicated not only to employees, but also to top management and HR departments,” said Slava Borilin, security education program manager at Kaspersky Lab, in a press release.

SEE: Ethical Password Hacking and Security (TechRepublic Academy)

Employees may hide incidents for a number of reasons, Borilin said: Sometimes companies have strict but unclear policies that warn staff that they will be held responsible if an incident occurs.

“If your cybersecurity culture is positive, based on an educational approach instead of a restrictive one, from the top down, the results will be obvious,” Borilin said in the release. For example, Tesla’s Elon Musk recently released a statement requesting that every incident affecting worker safety should be reported directly to him so he can play a central role in change.

Businesses reported a number of fears stemming from a potential internal threat, the report found, with the top three fears all related to human factors and employee behavior. The top concerns were employees sharing inappropriate data via mobile devices (47%), the physical loss of mobile devices exposing their company to risk (46%), and the use of inappropriate IT resources by employees (44%).

Cybercriminals often first attempt to gain entry to an enterprise system through the weakest link: Employees. Some 28% of targeted attacks on businesses in the last year started with phishing or social engineering, the report found. While sophisticated, targeted attacks are more difficult to avoid, conventional malware tends to strike the general employee population.

“Cybercriminals often use employees as an entry point to get inside the corporate infrastructure. Phishing emails, weak passwords, fake calls from tech support – we’ve seen it all,” said David Jacoby, security researcher at Kaspersky Lab, in the press release. “Even an ordinary flash card dropped in the office parking lot or near the secretary’s desk could compromise the entire network — all you need is someone inside, who doesn’t know about, or pay attention to security, and that device could easily be connected to the network where it could [wreak] havoc.”

For tips on how to make all of your employees care about cybersecurity, click here.

The 3 big takeaways for TechRepublic readers

1. Employees are a major cause of security incidents within the enterprise, but 40% of businesses said that employees hide IT security incidents to avoid punishment, according to a Kaspersky Lab and B2B International report released Monday.

2. Businesses report security concerns over employees sharing inappropriate data via mobile devices, the physical loss of mobile devices exposing their company to risk, and the use of inappropriate IT resources by employees.

3. It’s important for companies to have a positive, non-punitive cybersecurity culture that is based on an educational approach, experts said.