Data breaches continue to rise - are decision makers doing enough?
Data breaches hit the headlines last year, but they have seemingly had little impact on how IT decision makers view the risks to their organisations.
According to new research from KnowBe4, less than four in ten (37%) Australian IT decision makers say they are concerned about phishing as a risk to their organisation, compared with almost the same number (38%) in 2021.
Even fewer are concerned about Business Email Compromise (BEC) 27% compared with 28% in 2021. Alarmingly, less than four in ten (37%, 42% in 2021) IT decision makers say they are confident they would know the steps they would need to take following a cyber incident or data breach in their organisation.
Furthermore, just four in ten Australian IT decision makers believe the employees in their organisations understand the business impact of falling victim to a cyber attack (42%, 40% in 2021), are confident their employees can identify phishing and BEC emails (38%, 42% in 2021), and that their employees report all emails they believe to be suspicious (38%, 39% in 2021).
Jacqueline Jayne, Security Awareness Advocate for APAC at KnowBe4 is concerned. She says, "When those charged with keeping a business secure are unaware of the risks and employees are unable to identify scam emails and SMS messages, their organisations are at significant risk.
"According to the ACCC, Australians lost a record $424.8 million to scams from January to September 2022 (up a massive 90%, over the same time the previous year). If those in charge of security are unaware of best practices, then they cannot educate and train employees."
Fortunately, the recent data breaches do seem to have improved employees password hygiene, the study shows.
A quarter (26%) of Australian office workers admit to using the same password for more than one account, which is significantly less than in 2021 (34% in 2021).
However, thats where the good news ends, KnowBe4 states. Employees of all ages are engaging in risky behaviour, with more than one in ten admitting to using their work email address (13%) and their work phone (16%) for personal activities.
Three in ten (30%) don't believe using their work email for personal activity is a security risk to their employer. Only just over half say they never engage with suspicious emails (56%, 57% in 2021) and suspicious SMSs (54%, 57% in 2021), with only four in ten (40%, the same as in 2021) saying they always report suspicious emails and SMSs to the IT team responsible for cybersecurity.
When employees are using their work email address for personal activities such as online shopping, they are much more likely to fall victim to a phishing attack that uses a hook such as delivery delays to entice the victim to click through.
Jayne says, "Having a clear separation between work and personal activities makes it much easier to spot when an email is a scam if you know you never shop online using your work email address, then you know that email from Amazon cannot be real.
"How employees perceive their role is a critical factor in sustaining or endangering the security of the organisation. It is imperative that employees are educated on securing not only their professional, but personal environments. What they learn and how they incorporate into everyday behaviours and attitudes is then completely transferable into their personal lives and will protect their own data."
Finally, the KnowBe4 research reveals that younger office workers may be at highest risk of cyber attacks.
They are more likely than their older counterparts to:
- Engage with suspicious emails (Gen Z 62% and Millennials 51% compared to Gen X 39% and Baby Boomers 21%)
- Engage with suspicious SMSs (Millennials 55% compared to Gen X 43% and Baby Boomers 24%)
- Say they are not confident that they could identify suspicious emails (Gen Z 61%, Millennials 45% and Gen X 46%, compared to Baby Boomers 34%).