HR departments need to increase focus on cybersecurity

Despite the current wave of cyberattacks targeting businesses, governments, and individuals, there remains an alarming lack of awareness among many employees about the risks they face.

The State of Cyber Resilience in Australia 2022 survey of Australian workers has found the majority do not understand the threats that can exist within emails and could unwittingly cause significant damage and losses to their organisation. The survey results are based on responses from more than 500 staff in Australian organisations of at least 50 employees.

Of those surveyed, 60 per cent said they believed clicking on links contained in business emails was safe while more than half (52 per cent) admitted they would click on a link if the email appeared to come from a sender that they trusted.

The results are a wake-up call for HR departments and show there is a pressing need for more cybersecurity awareness training. Staff need to understand the dangers that can be contained within emails and the steps that should be taken to minimise risks.

The need for training has been made even more acute with the shift to hybrid-working patterns in the wake of COVID-19. When working from home, staff may not be protected by corporate firewalls and other measures and are thus more susceptible to attacks.

Concerningly, more than half (51 per cent) of survey respondents admitted they had suffered a cybersecurity breach during the past 12 months.

Phishing remains a top threat

Of the attacks that can be mounted via email, phishing remains the most dominant type being experienced by Australian organisations. The increasing sophistication of cybercriminals means phishing emails can be very difficult to distinguish from legitimate messages.

Some can entice users to click on links and divulge personal information. Others come with attachments containing malicious code. Once opened, this code can rapidly infest the user’s device and then spread to wider corporate systems.

Of the survey respondents who admitted having clicked on a malicious link within an email, almost half (48 per cent) said they realised their mistake when they found themselves redirected to a suspicious website or service that requested details from them.

More encouragingly, 41 per cent said the link was flagged as malicious by their organisation’s IT systems while a further 21 per cent said a red flag was raised by their web browser. Less than a quarter (20 per cent) said they became aware only after their device had become infected by malware or ransomware.
 
The need for improved user training

When mapping out their staff training schedules for the coming year, the survey highlights the need for HR teams to allocate more time and resources to cybersecurity awareness.

The survey found 92 per cent of employees believe cybersecurity is either very or extremely important, however more than one in three (37 per cent) said they had not received training in any aspect of the topic.

Of those that had received training, 42 per cent said it had been focused on phishing attacks while email security was nominated by 40 per cent of respondents. This was followed by malware (29 per cent) and ransomware (23 per cent).

Asked to reveal the number of hours they had spent in cybersecurity awareness training during the past year, 43 per cent admitted it had either been none at all or less than one hour. A further 32 per cent of respondents said they had received between one and three hours with just 9 per cent receiving four and five hours.

When it comes to sharing the results of cybersecurity awareness training with other staff, 43 per cent of those surveyed said this did occur. A further 34 per cent said this didn’t happen while 23 per cent were unsure.

Experience shows that sharing results can be a good way to reinforce employee awareness and understanding of the scale of the shared security challenge faced by everyone. It also reinforces the message that an organisation is taking the challenge seriously and undertaking steps to ensure that overall security standards are being raised.

By increasing the focus on cybersecurity training, an HR department can ensure its organisation is better placed to avoid potentially damaging attacks. The result will be greater awareness among staff and a more secure workplace.

Security risks posed by senior managers

Interestingly, the survey also revealed that senior managers are more likely to cause security issues than junior members of staff. This is because a higher proportion of managers admitted they circumvent security controls as part of their day-to-day activity.

When asked whether they use unauthorised third-party software or Cloud services, more than half (52 per cent) of senior managers confirmed this was the case compared with an average of 44 per cent across all survey respondents.

The gap was even more stark when it came to carrying out computer system updates where 63 per cent of senior managers admitted they had done this. This compared to 32 per cent of all respondents.

These results are particularly surprising considering the fact that the survey found 66 per cent of senior staff considered they were ‘extremely’ aware of the importance of cybersecurity compared with the survey average of 53 per cent. It’s clear that more managers need to lead by example.

The issue of cybersecurity is going to remain significant for organisations of all sizes. HR departments therefore need to put in place all the elements required to ensure comprehensive protection is achieved.

Mark Lukie is the sales engineering director at Barracuda APAC

Note from the editor: please note that this article has been prepared for informational purposes only, and is not to be construed as advice.