Almost half of workers in Australia believe their workplace is vulnerable to a cyberattack, according to the latest Employee Sentiment Index by HR technology platform ELMO Software.
Even more worryingly, the survey of 1000 Australian workers found just under a third of employees don’t know how to prevent themselves from falling victim to a phishing attack at work.
After a spate of high-profile hacks over recent years, more than half of workers are now worried about their personal information being stolen as part of a cyberattack on their workplace, the survey found.
But despite the lack of confidence among employees, less than half say their workplace offers training courses or education to help prevent an attack.
ELMO Software CEO Joseph Lyons says the survey findings should serve as a wake-up call for Australia’s business leaders.
“It’s alarming to see that a third of Australia’s workforce don’t feel equipped to stop themselves from being duped by a hacker at work, ” he says. “But what’s most concerning is the fact that half of businesses are overlooking one of the most crucial methods to prevent attacks – training their staff.
“Given the number of workers who are worried about the personal data their employers have on file, businesses need to seriously consider whether they have the right technology in place to store information securely and prevent it from being accessed by third parties.
“But it doesn’t stop at technology, training is also key. Last year, we helped deliver cybersecurity training courses to over 15,000 employees across Australia and New Zealand.”
The Index found that cyber fears are far more prevalent among the older generation of workers. Baby Boomers are particularly worried, with 54% feeling concerned about being scammed on their work devices compared to just 38% of Gen Z respondents.
However, while Millennial workers are the most confident about knowing how to prevent a phishing attack, they’re also the most guilty of using non-approved apps or software (33%; cf. Average 26%).
Mid-sized business less likely to take preventative action
Almost two thirds of employees say their business has IT security measures in place such as firewalls or antivirus software and a further 54% have cybersecurity policies/protocols to help prevent an attack.
However, training courses/education are in place for only 47% of respondents and even fewer (25%) say their businesses use simulated phishing attacks to help test their knowledge.
The survey found that larger organisations (200+ employees) were more likely to employ all of the prevention methods respondents were surveyed about, but one of the most marked differences was in the number of businesses providing learning courses.
Only 36% of employees in businesses with less than 200 staff say their organisation provides staff with training, compared to 64% of workers at businesses with 200+ staff.
Lyons says: “Mid-sized business leaders might think they’re less of a target compared to bigger, well-known organisations. But falling into that trap could be leaving them exposed.
“Regardless of size, being targeted by an attack is a very real possibility and it’s something every C-suite leader needs to be thinking about.
“Cybersecurity is no longer the sole responsibility of IT departments, especially given the rise in attacks that target human vulnerability. HR leaders need to be working alongside their IT and Finance counterparts to develop continuous training and ensure the employee data they hold is kept secure.”
The rise of shadow IT
The survey findings also highlight a major challenge for businesses trying to mitigate the risk of an attack. Just over a quarter (26%) of employees admit to using apps, software or devices that haven’t been approved by their company.
Known as shadow IT, the temptation for workers to use software that hasn’t been vetted by their employers makes it impossible for a business to get a handle on their risks or take action in the event of an attack.
Carmen Nunez, ELMO’s Senior Information Security Manager, says having the right people, tools and organisational controls are all key to ensuring software has been vetted and approved.
“The risk of employees downloading unauthorised applications into a company’s corporate environment is very real,” she says. “Employees may be tempted to sign up for free trials and upload valuable company information without considering the risk.
“This type of behaviour can lead to malware and ransomware attacks, as well as other cyber threats. Imagine trying to determine the source of an attack if the IT department doesn’t have visibility across the company.
“Mitigating these risks requires an approach that spans people, processes and tools. Supplier security and employee education, as well as having the right tools to quickly detect and disable unauthorised applications, are at the core of our ISO 27001:2022 certification.”
ENDS
Media Enquiries
Fiona Portet | Director of Brand & Communications | +61 478 70 794 | fiona.portet@elmosoftware.com.au