CISOs know best practice information security management comes down to people as much as technology. Without employees and a robust security culture on your side, tech deployment will not stop threat actors, who continue to find their way into organisations.
It appears Asia-Pacific employees are not getting the message. Cyber security company Proofpoint recently surveyed 7,500 employees and 1,050 security professionals in 15 countries, including Australia, Japan, South Korea and Singapore. The company found that in the Asia-Pacific, many employees confess to behaviours that increase the risk of compromise — like accessing inappropriate websites — despite knowing what they are doing is risky.
Many employees cite convenience and the need for speed as reasons. A large proportion are also still unsure of their security responsibilities or believe it is someone else’s job, despite the investment that has gone into cyber security education and awareness across the region.
How many employees are taking risky actions?
63% of employees in the four surveyed countries in the Asia-Pacific region take risks with security, according to Proofpoint’s State of the Phish report. To make this finding more troubling, a huge proportion of them (98%) knew what they were doing was risky while they were doing it but did it anyway.
SEE: Stay ahead of these top cyber security trends in Australia.
However, Japanese employees take the fewest cybersecurity risks. Over half (53%) of respondents from Japan say they never take risky action, compared with a 29% global average. Proofpoint speculated that Japan’s cultural values and a focus on discipline may be behind Japan’s relatively better performance on security behaviour.
Asia-Pacific employees take less risks than those in global markets
Asia-Pacific employees are less likely to take risks when compared with the global average but more likely to do so when they know they should not. Proofpoint’s global statistics show 71% of users around the globe take risky actions, and 95% of global employees who take risky actions are aware of the risks they are taking.
What risky actions are employees taking?
Proofpoint found four of the top five risks cited by security professionals are common behaviours among users. For example, the top risk cited by cyber pros — accessing an inappropriate website — was the fourth most common risky behaviour among employees. (Figure A). Proofpoint suggested employees may be unclear these are risky.
The most common risky behaviour admitted to by employees surveyed in the region was the use of a work device for personal activities. This is despite the fact that this can increase susceptibility to phishing. For example, employees may receive and trust phishing emails they receive in a personal account, putting security at risk.
Employees were also actively reusing or sharing passwords, connecting their work device without using a VPN in a public place, and responding to email and SMS messages from someone they didn’t know.
Why are employees taking risky actions?
Employees revealed the primary reasons why they engage in risky cyber security behaviour:
- 54% took risks because it was more convenient.
- 38% had done so to save time on their work.
- 23% had behaviour driven by an urgent deadline.
Less common reasons why employees took risks with cyber security were also unearthed:
- 19% took risks to save money.
- 19% had cut corners to meet performance objectives.
- 11% were trying to meet a business revenue target.
PREMIUM: Protect your organisation with an information security policy.
Employees unsure about their security responsibility
Employees in the Asia-Pacific region were the most likely among global employees surveyed to say they were unsure about their personal responsibility for cyber security. Proofpoint found that 57% of employees surveyed in the region said they were unsure about their responsibilities, compared with 54% around the globe.
The survey also revealed IT security teams are overconfident about employees’ level of responsibility awareness. While 84% of IT security individuals surveyed said their employees believed they were responsible for security, only 39% of employees themselves said they counted this as part of their responsibilities (Figure B).
What can Asia-Pacific organisations do about the employee problem?
There is no doubt that cyber professionals in APAC need employees to gain clarity over their responsibilities when it comes to cybersecurity. After all, APAC was named ‘ground zero’ for cyber crime growth in 2023, when it experienced the highest year-over-year increase in weekly cyberattacks during the first quarter of 2023.
Make following cyber security best practices easy
Proofpoint’s survey makes clear employees are taking risks where it is more convenient or saves them time. Cyber security professionals can only reduce this risk if they endeavour to make following secure practices as simple as possible and remove any barriers employees may face to doing the right thing.
PREMIUM: Consider using email templates for security alerts.
For example, this may involve working with IT teams to ensure something as simple as streamlined access to an efficient IT help desk. This would ensure streamlined access to a VPN, avoid them connecting to unsecured networks and deal with account or password issues to remove the temptation of sharing passwords.
“Work with business stakeholders and prioritise ease-of-use when implementing security policies,” Proofpoint said in its survey. “Users will be less inclined to circumvent systems if security aligns with their goals. And they are more likely to use a control if it is intuitive and does not require any training.”
Educate to build cyber security awareness and culture
Education and raising awareness will continue to play a critical role. If employees in the region are still unsure in many cases about their role in information security management, it only makes sense to boost investment in delivering engaging cyber security training resources that can support an uplift in understanding of threats.
This could include training resources that focus on the top risks of cyber security professionals. Employees could be better informed about practices like clicking on links or downloading attachments that could increase phishing or malware risk, while being supported with tools that flag emails as coming from outside the organisation.
Building a strong cyber security culture is the endgame. Organisations that have success with engaging employees in cyber security often enrol employees in helping the organisation spot issues. For example, a phish reporting Slack or communications channel can act as a vehicle for reporting, healthy competition and staff reward.