Australian employees regularly avoid installing important firmware updates and security patches on their devices because it takes too long, according to new research that found 6 in 10 admit bypassing corporate security policies on a regular basis to make their lives easier.
Fully 60 per cent of Australian respondents to the CyberArk 2024 Employee Risk Survey – a Censuswide study involving 14,003 employees in the US, UK, France, Germany, Australia and Singapore – said they work around security policies designed to protect company data.
Employees are already notorious for using weak passwords, but the new findings suggest careless workers are also regularly using one password across multiple accounts; using personal devices as Wi-Fi hotspots; and forwarding corporate emails to personal accounts.
Fully 49 per cent said they use the same login credentials for multiple work-related applications, while one third use the same credentials for personal and work applications and 41 per cent share confidential workplace-specific information with outside parties.
With a separate CyberArk analysis noting that consumer-focused Big Tech firms like Facebook, Amazon, Apple, Netflix, and Google often hoover up corporate data as well, employees mixing personal and business data can easily create serious security problems.
One employee’s decision to store corporate network credentials in a personal web browser has, for example, been named as the reason the personal data of some 10 million Australians was compromised in the devastating Medicare data breach.
Aren’t executives supposed to set an example?
Such incidents have become business as usual and even high-level employees are ignoring security specialists’ pleas to improve their security, CyberArk CEO Matt Cohen said, noting that “high-risk access is scattered throughout every job role and bad behaviours abound.”
With 80 per cent of Australian employees accessing sensitive workplace applications from personal devices – and 18 per cent of respondents admitting they often avoid installing software updates because “it takes too long” – those behaviours pose a significant risk.
Such risk is amplified by reported casual access to sensitive data – with 40 per cent of employees admitting they habitually download customer data; a third able to alter critical or sensitive data; and a third reporting that they can approve large financial transactions.
Lax controls recently left the US township of Bazetta, Ohio, swimming in recriminations and lawsuits after an auditor blamed a $250,000 ($US160,857) BEC fraud on an executive’s request to disable multi factor authentication (MFA) for his Microsoft Office 365 account.
Indifference to corporate security requirements “creates serious security issues for organisations and [highlights] the pressing need to reimagine workforce identity security,” he said, “by securing every user with the right level of privilege controls.”
Spending more isn’t necessarily improving genAI security
The findings confirm that, despite years of exhortations, most employees remain creatures of habit and convenience – and that despite companies pouring money into improving their cybersecurity, even the strongest security technology is no match for human indifference.
Australian firms spent over $7.3 billion on information security and risk management products and services this year, according to research firm Gartner, which noted that this had increased by 11.5 per cent from last year – and that cloud security spending would surge by 26.9 per cent.
“Recent highly publicised cyberattacks in Australia, coupled with increasing regulatory obligations, are keeping security and risk top of mind for Australian organisations this year,” noted Gartner senior director analyst Richard Addiscott.
This concern had increased as companies deal with the “tidal wave” of generative AI (genAI) enabled technologies, he added.
“As the frequency and negative impact of cybersecurity incidents continues to rise,” he said, “every organisation is worried about potential fallout.”
Despite their concerns – and those of regulators who Addiscott said “are increasingly pushing for improved competence” – old habits die hard, with employees proving equally uninterested in security while dealing with genAI.
While two thirds of respondents told CyberArk they are using generative AI tools, fully one third ‘only sometimes’ or ‘never’ follow guidelines about handling sensitive information to avoid the tools’ security risks.
Many workers still blame employers for poor security – with just 25 per cent of respondents saying the overall direction of cybersecurity is improving dramatically, and only 22 per cent calling their organisations’ cybersecurity efforts “completely satisfactory.”
