Why are IT leaders not concerned about breach risk?

New research from KnowBe4 suggests that 2022’s major data breaches have had little impact on how IT decision-makers view risk to their organisations. Less than four in 10 (37%) say they are concerned about phishing risks — a similar number to 2021 (38%) — despite the recent and well-publicised Optus and Medibank breaches. Even fewer respondents are concerned about business email compromise (BEC) — 27% in 2022 versus 28% in 2021.

Less than half (37%) are confident they know the steps to take following a cyber incident or data breach in their organisation. Four in 10 (42%) believe their employees can identify phishing and BEC emails and that employees are additionally reporting all suspicious emails (38%).

This is a concern according to Jacqueline Jayne, Security Awareness Advocate for APAC at KnowBe4.

“When those charged with keeping a business secure are unaware of the risks and employees are unable to identify scam emails and SMS messages, their organisations are at significant risk. According to the ACCC, Australians lost a record $424.8 million to scams from January to September 2022 (up a massive 90% over the same time the previous year). If those in charge of security are unaware of best practices, then they cannot educate and train employees,” Jayne said.

Employees’ behaviour putting organisations at risk

Recent data breaches do appear to have improved password hygiene. In 2022, a quarter (26%) of Australian office workers admitted to using the same password for more than one account, significantly less than in 2021 (34%).

However, that’s where the good news ends. Employees of all ages are engaging in risky behaviour, with more than one in 10 admitting to using their work email address (13%) and their work phone (16%) for personal activities. Nearly three in 10 (30%) don’t believe this is a security risk to their employer.

Just over half report they never engage with suspicious emails (56%) or suspicious SMSes (54%), with only four in 10 always reporting these items to the IT team responsible for cybersecurity.

“When employees are using their work email address for personal activities such as online shopping, they are much more likely to fall victim to a phishing attack that uses a hook such as delivery delays to entice the victim to click through. Having a clear separation between work and personal activities makes it much easier to spot when an email is a scam — if you know you never shop online using your work email address, then you know that email from Amazon cannot be real,” Jayne said.

“How employees perceive their role is a critical factor in sustaining or endangering the security of the organisation,” Jayne explained. “It is imperative that employees are educated on securing not only their professional, but personal environments. What they learn and how they incorporate into everyday behaviours and attitudes is then completely transferable into their personal lives and will protect their own data.”

Younger employees are most risky

The research reveals that younger office workers may be at highest risk of cyber attacks. They are more likely than their older counterparts to:

• engage with suspicious emails (Gen Z at 62% and millennials at 51% compared to Gen X at 39% and baby boomers at 21%);
• engage with suspicious SMSes (millennials at 55% compared to Gen X at 43% and baby boomers at 24%); and
• say they are not confident that they could identify suspicious emails (Gen Z at 61%, millennials at 45% and Gen X at 46%, compared to baby boomers at 34%).
   

Image credit: iStock.com/MicroStockHub