Mimecast research finds employee behaviour is leaving companies wide open to privacy incidents

Mimecast Limited an email security and cyber resilience company, released the results of an Australian-based survey by ACA Research, showing that 21% of workers surveyed have experienced a privacy incident over the last 12 months.

However, 19% respondents who experienced a privacy incident did not report it to their employer, with 38% of them didn’t think it was that important when asked why.

Types of privacy incidents included emailing personal or confidential work information to the wrong recipient, falling victim to a malicious email that allowed unauthorised access to work systems or data and losing devices containing personal information.

Garrett O’Hara, Principal Technical Consultant at Mimecast, emphasises that more work needs to be done to make privacy a priority and better protect company and personal information at a time when cyber security issues and malicious activity are more common than ever.

“In 2020 people were adapting to huge changes in work practices due to the COVID pandemic, so it’s not surprising that some basics in cyber security and privacy slipped,” said O’Hara.

“Even so, not reporting a privacy issue is inexcusable, especially when you consider the significant security risk from disclosing personal information and professional data.”

“There’s also the potential financial loss to businesses and individuals when privacy incidents go unchecked and remedies aren’t put in place.”

The data also shows that while 74% of Australians say they take privacy seriously and do enough to protect data in their organisation, their behaviour doesn’t always reflect this:

  • 47% of the respondents are downloading information onto personal devices
  • A third of employees don’t always report strange or suspicious looking emails to their employer.
  • This awareness is not consistent across the country
  • 75% of Queenslanders say they would always report suspicious looking emails and not open them
  • New South Wales/Australian Capital Territory (NSW/ACT) this figure drops to 60%
  • 39% of Australian workers are careless when it comes to avoiding public wi-fi and only using secure networks for work purposes

Use of communication tools exploding. Of note, 82% of respondents are using collaboration tools like online chat, video and file sharing more than they were last year, contributing to increased privacy risks for companies and staff.

This further increases the need for Australian businesses to prioritise privacy.

“Undoubtedly email is still an important communication tool for businesses, but many workers now use chat, multiple messaging apps, video and other solutions, so the potential for privacy slip-ups is increasing across the multiple platforms,” said O’Hara.

“Technology alone isn’t going to solve the issue. Regular and the right kind of security awareness training is critical.”

With a quarter of respondents stating they only receive training once a year, and over a third having skipped training, there’s a strong risk that ‘unstructured data’ – like that in messages from one employee to another – can find itself on the wrong side of a privacy incident.

“Our recently released State of Email Security 2021 Report supports the assertion that many businesses need a stricter and more relatable approach to privacy training and processes.”

“This report shows that 32% of Australian IT leaders feel their employees’ naivete about cybersecurity is their biggest challenge and 68% think it’s either likely or extremely likely their company will suffer a negative business impact from an email-borne attack in the next year.”

Industries, businesses and states most at risk according to the ACA research:

Mid-sized businesses (100-999 employees) performed the worst, with 28% of employees saying they had been involved in a privacy incident. Still, 14% of respondents working for companies with 1,000+ employees had been involved in a privacy issue.

Industries whose workers had the highest rate of privacy issues were manufacturing (52%), followed by education, professional services and health care and social assistance (all at 15%).

Even though they have the most regular training, 82% of respondents in manufacturing have skipped privacy training, compared with 42% in professional services, 24% in healthcare and social assistance and 23% in finance.

Over one in three NSW/ACT employees know a colleague that has experienced a privacy incident in the past 12 months. This reduces to around one in five for employees in South Australia and the Northern Territory.

Advice for businesses

Training:

Make it relevant and engaging. A once-a-year check-up isn’t enough, especially when staff are more distracted than ever. Instead, use a combination of tools, some humour and make the training something that people engage with.

With 90% of all cybersecurity incidents being a result of human error, regular and impactful training is essential. Training should also be compulsory, but if organisations make it interesting people will be less likely to want to skip it.

Culture:

10% of people who didn’t report a privacy incident said they thought it would jeopardise their job, while 24% felt embarrassed. Fostering a culture of collaboration rather than punishment can encourage employees to speak up and create a more privacy-aware environment.

Evolving landscape:

Security threats, working conditions and technology are constantly changing. Organisational approaches to cybersecurity must keep pace.

Cybersecurity training models and the technology used to protect against increasingly sophisticated cyberattacks, need to be updated for a COVID work environment.