High-Profile Attacks Improve Cyber Hygiene—But Not Enough
Companies in Australia have had a major wake-up call from a series of high-profile cyber attacks over the last 18 months. These incidents have led to large-scale theft of personally identifiable information (PII), a surge in scams that seek to exploit that information and, predictably, unwanted attention in the press.
Lawmakers have responded with new rules that aim to protect consumers and reduce the risks of large-scale breaches. As a result, many Australian companies are reviewing their controls and working to improve their security posture.
So how are these efforts going? Leading cybersecurity and compliance company Proofpoint surveyed 1,017 Australian workers to answer that very question. The study, conducted by Censuswide, explored the threats workers face and whether those threats have prompted any changes in cyber hygiene.
The good news: 87% of Australian workers have indeed improved their cyber hygiene. The bad news: these threats are as relentless as ever, and many users remain vulnerable.
Here are some highlights of the study.
Fake logistics companies are the most common source of scams
Scammers are more brazen than ever. Nearly two-thirds (63%) of Australian workers surveyed said they receive scam calls, texts or emails at least two to three times per week. Most of these (91%) come from the following sources:
- Fake logistics companies: Nearly half (48%) of Australian workers said they have received emails, texts or calls about bogus package-delivery notices
- Fake financial institutions: Well over two-thirds (38%) of Australian workers said they have received emails, texts or calls from someone posing as a bank. Requests to make changes to accounts, such as password updates, are common.
- Fake telecoms: 37% per cent said they have received emails, texts or calls from fake telecom service providers.
- Fake organisations (general): About one-quarter (24%) said they have received emails, texts or calls from fake organisations asking to make changes related to recent data leaks.
- Fake legal organisations: 17% received emails, texts or calls alerting them to a fake legal issue, such as a windfall inheritance.
- Fake charities: 14% of respondents said they received emails, texts or calls from fake charities asking for donations.
- Fake health authorities: 9% of Australian workers said they received emails or texts from fake health authorities about COVID-19 or health-related checkups.
Australian workers remain vulnerable to file-sharing links and one-time passcode sharing
Have Australian companies done enough to protect themselves from these scams? According to our survey, complacency remains. Too many Australian companies continue to take unhealthy risks. And while high-profile attacks spurred some improvements in cyber hygiene, it's clearly not enough.
Consider how workers use file-sharing platforms. Google Drive, Microsoft OneDrive and Dropbox are widely used across the country. Our research shows that 20% of Australian workers are either unlikely to verify links contained in shared documents—or worse, don't know how to. Cybercriminals often use such links to lead users to malware and phishing sites that compromise their systems and steal sensitive data. The attackers' success rate is high. That's because people tend to implicitly trust these links, and it takes just one successful phishing email to compromise an entire organisation.
In the same way, 17% of Australian workers remain likely or very likely to share a one-time password (OTP) if requested by someone pretending to be connected to a colleague, family member or friend.
Security awareness is becoming more critical for Australian organisations. People should be the first line of defence for companies, not the weakest link. Workplace culture changes spurred by improved awareness programs can help reduce risk, especially risks that stem from people.
But despite the clear need, our research shows that nearly one-quarter (23%) of Australian workers believe they don't have enough training to identify threats, unsafe emails and text scams.
At the same time, only 36% of Australian workers believe the culture of security awareness is a top-of-mind issue for their company's leaders. So, there is much room for improvement.
Why you need a people-centred approach to cybersecurity
Phishing attacks continue to bombard working Australians. And alarmingly, even simple attacks are proving highly successful. Attacks on major companies have made headlines, and most working Australians have experienced these attacks personally. These incidents have increased cybersecurity awareness but done little to improve users' ability to detect these attacks and stop them.
Cybersecurity controls typically focus on technology and infrastructure vulnerabilities. But today's phishing attacks bypass technology controls, exploiting people instead. Not enough attention is placed on people-based risks and users' role in enabling cyber attacks.
As our research shows, nearly two-thirds of Australians receive scam calls, texts or emails two to three times per week. Despite warnings never to share OTPs—and training on how to recognise malicious links—too many working Australians remain vulnerable.
Only a new people-centred approach to cybersecurity can mitigate these risks. That means a greater focus on people and investments in user awareness. Security leaders must also acknowledge that no security controls can prevent all breaches. That's why they need a sharper focus on controls that allow them to detect and respond to breaches as quickly as possible. That includes using people to recognise and detect threats.
Adopting a people-centred approach forces companies to step back and consider how, why and by whom technology is being used. Too often, cybersecurity approaches are centred around purchases of multiple discrete tools, each designed to close a newly discovered vulnerability.
This vicious cycle has created vast complexity and a poor understanding of the vulnerabilities that stem from human behaviour. That's why now is the time to rethink your cybersecurity approach and break the attack chain.
*The 2023 Australian User Survey of 1,017 Australian workers was conducted by research firm Censuswide in early January 2023. The aim of the survey was to understand the kinds of scam communications commonly received by Australian workers and whether recent high-profile attacks have influenced them to improve their approach to cyber hygiene.