High-risk employee behaviours making organisations vulnerable to attacks
Employee security behaviours and hybrid working are making Australian businesses more vulnerable to cyberattacks, according to the State of Cyber Resilience in Australia 2022 report from Barracuda.
The findings reveal that 60% of employees assume links in emails are safe to click on if the message came through the corporate email system, and 22% download and install unapproved software onto devices used for work.
Just over half (51%) of employees surveyed had been directly impacted by a cyberattack in the last 12 months, the report shows.
The study surveyed 504 Australian IT decision-makers and non-IT workers in organisations of at least 50 employees.
Key findings include:
Organisations are intensely vulnerable to email-borne threats
52% of mobile users will click on a link if it comes from a sender that they trust.
60% of respondents assume a link in an email is safe to click on if the email has come through the corporate IT system.
20% of those who clicked on a malicious link only discovered this when their machine was infected with malware or ransomware.
37% of respondents have not had training in key areas of cybersecurity awareness such as email security, malware, or ransomware, and 14% have had no training at all.
Security takes a backseat to flexibility and productivity with senior management left most at risk
44% of respondents say that security systems prevent them from working efficiently.
33% admit to bending the rules to get a job done. This includes using a non-approved browser (31%), running traffic through a private VPN (29%), and using unauthorised third-party software (22%).
Senior managers are the most likely to bend the rules, with 52% saying they use unauthorised third-party software or cloud services to complete their work.
"Flexibility and agility have become key business mantras, but our research suggests that in increasingly hybrid work environments, some organisations and employees may be flexing too far and bending cybersecurity rules to get a job done," says Mark Lukie, Sales Engineering Director, Barracuda APAC.
"We also uncovered a lack of awareness regarding cybersecurity that could be leaving organisations exposed. Australian organisations need to urgently review their hybrid and work-from-home environments, commit to the adoption of best security practices like the Australian Cyber Security Centres Essential Eight framework, and provide cybersecurity hygiene refresher training to staff, in order to protect against todays evolving email threats, application vulnerabilities and the ever-present risk of data breaches."
The research also found that there is limited use of multi-factor authentication (MFA) among Australian businesses. 40% of the respondents said they do not have MFA in place but rely on password management to protect credentials, while 74% of them said that remembering new complex passwords is a challenge.
The research was undertaken by StollzNow Research for Barracuda to get Australian organisations perspectives on the security challenges of remote work arrangements and other issues related to security culture and training in the workplace.