Data breaches hit the headlines last year, but they have seemingly had little impact on how IT decision-makers view the risks to their organisations. According to the latest research from KnowBe4, just less than half (45 percent) of Singaporean IT decision-makers say they are concerned about phishing as a risk to their organisation, compared with 53 percent in 2021. Even fewer (30 percent) worry about Business Email Compromise compared 2021’s 40 percent.
What are the other findings from KnowBe4’s research?
Alarmingly, less than two in five (37 percent – 51 percent in 2021) IT decision-makers say they are confident they would know the steps they would need to take following a cyber incident or data breach in their organisation. In addition, less than half (47 percent) of Singaporean IT decision-makers believe their charges understand a cyber-attack’s business impact.
The research also reveals that four in ten of the respondents are confident their employees can identify phishing and BEC emails (37 percent – 43 percent in 2021), and that their employees report all emails they believe to be suspicious (41 percent – 40 percent in 2021).
Employees’ behaviour putting organisations at risk
The recent data breaches have not improved employees’ password hygiene. More than a third (34 percent) of Singaporean office workers admit to using the same password for more than one account, and alarmingly, shows little significant change from 2021 (33 percent in 2021).
Employees of all ages are engaging in risky behaviour, with more than one in ten admitting to using their work phone (13 percent) and their work email address (6 percent) for personal activities. Of most concern, more than half (57 percent) don’t believe that using their work email address for unrelated personal activity is a significant security risk to their employer.
Six in ten say they never engage with suspicious emails (61 percent) and suspicious SMSs (57 percent – 63 percent in 2021), with less than four in ten (35 percent – 37 percent in 2021) always reporting such emails and SMSs to the IT team responsible for cybersecurity.
Younger employees are the most risky
The KnowBe4 research reveals that office workers from the millennial generation may be the most prepared for cyber-attacks due to the fact that they are more likely to be confident in identifying which emails are real/legitimate and which ones are fake/scams (Millennials 57 percent compared to Gen Z 42 percent, Gen X 39 percent, and Baby Boomers 43 percent).
In addition, Millennial office workers may be most prepared for cyber-attacks as they are more likely to never engage with suspicious SMS (Millennials 63 percent compared to Gen Z 47 percent and Baby Boomers 48 percent). However, they are also more likely to use the same password for more than one account (Millennials 39 percent compared to Gen X 28 percent)
Furthermore, they also believe that using work email for non-work-related personal activity is not a risk to themselves (Millennials 53 percent compared to Gen X 60 percent) and to their employer (Millennials 51 percent compared to Baby Boomers 66 percent).
What do the findings mean for IT leaders?
Jacqueline Jayne, Security Awareness Advocate for APAC at KnowBe4 is concerned, “When those charged with keeping a business secure are unaware of the risks and employees are unable to identify scam emails and SMS messages, their organisations are at significant risk.”
She continued, “According to the Singaporean Police Force, Singaporeans lost $660.7 million in 2022, almost S$1.3 billion in the past two years. Subsequently, if the individuals in charge of IT security are not aware of the best practices, then they cannot educate and train employees.”
“When employees use their work email for personal activities such as online shopping, they are more likely to fall victim to a phishing attack that uses hooks like delivery delays to entice the victim to click through. Having a clear separation between work and personal activities makes it much easier to spot when an email is a scam – if you know you never shop online using your work email address, then you know that email from Amazon cannot be real,” explained Jayne.
“How employees perceive their role is critical in sustaining or endangering the firm’s security. Employees must be educated on securing their pro and personal environments. What they learn and how they incorporate it into daily behaviours and attitudes is then completely transferable into their personal lives and will protect their own data,” she concluded.