CISOs know that best practices in information security management come down to both people and technology. Without employees and a strong security culture on your side, technology implementation will not stop threat actors, who continue to enter organizations.
It seems that Asia-Pacific employees don't get the message. Cybersecurity company Proofpoint recently surveyed 7,500 employees and 1,050 security professionals in 15 countries, including Australia, Japan, South Korea and Singapore. He The company found that in Asia and the PacificMany employees confess to behaviors that increase the risk of being compromised (such as accessing inappropriate websites) despite knowing that what they are doing is risky.
Many employees cite convenience and the need for speed as reasons. A large proportion are also unsure of their security responsibilities or believe it is someone else's job, despite the investment that has been put into cybersecurity education and awareness across the region.
How many employees are taking risky actions?
63% of employees in the four countries surveyed in the Asia-Pacific region take risks with security, according to Proofpoint's State of the Phish report. To make this finding more worrying, a large proportion of them (98%) knew that what they were doing was risky while doing it, but they did it anyway.
SEE: Stay ahead of these top cybersecurity trends in Australia.
However, Japanese employees face the least cybersecurity risks. More than half (53%) of respondents in Japan say they never take risky actions, compared to a global average of 29%. Proofpoint speculated that Japan's cultural values and focus on discipline may be behind Japan's relatively better security performance.
Asia-Pacific employees face less risk than those in global markets
Asia-Pacific employees are less likely to take risks compared to the global average, but they are more likely to do so when they know they shouldn't. Proofpoint's global statistics show that 71% of users worldwide take risky actions and 95% of global employees who take risky actions are aware of the risks they are taking.
What risky actions are employees taking?
Proofpoint found that four of the top five risks cited by security professionals are common behaviors among users. For example, the top risk cited by cyber professionals (accessing an inappropriate website) was the fourth most common risk behavior among employees. (Figure A). Proofpoint suggested that employees may not be clear that these are risky.
The most common risk behavior admitted by employees surveyed in the region was the use of a work device for personal activities. This despite the fact that it can increase susceptibility to phishing. For example, employees can receive and trust phishing emails they receive in a personal account, putting security at risk.
Employees were also actively reusing or sharing passwords, connecting their work device without using a VPN in a public place, and responding to emails and SMS messages from someone they didn't know.
Why do employees take risky actions?
Employees revealed the top reasons they engage in risky cybersecurity behaviors:
- 54% took the risk because it was more convenient.
- 38% had done it to save time at work.
- 23% had behavior driven by an urgent deadline.
Less common reasons why employees took risks with cybersecurity were also discovered:
- 19% took risks to save money.
- 19% had taken shortcuts to meet performance goals.
- 11% were trying to achieve a business revenue goal.
PREMIUM: Protect your organization with an information security policy.
Employees are not sure of their safety responsibility.
Employees in the Asia-Pacific region were the most likely among global employees surveyed to say they were unsure of their personal responsibility for cybersecurity. Proofpoint found that 57% of employees surveyed in the region said they were unsure of their responsibilities, compared to 54% globally.
The survey also revealed that IT security teams are overly reliant on employees' level of liability awareness. While 84% of IT security respondents said their employees believed they were responsible for security, only 39% of employees themselves said they considered it part of their responsibilities (Figure B).
What can Asia-Pacific organizations do about the employee problem?
There is no doubt that cyber professionals in APAC need employees to be clear about their cybersecurity responsibilities. After all, APAC was named “ground zero” for cybercrime growth in 2023, when it experienced the largest year-over-year increase in weekly cyberattacks during the first quarter of 2023.
Make it easy to follow cybersecurity best practices
The Proofpoint survey makes it clear that employees are taking risks when it is more convenient or saves them time. Cybersecurity professionals can only reduce this risk by striving to make it as simple as possible to follow secure practices and remove any barriers employees may face to doing the right thing.
PREMIUM: Consider using email templates for security alerts.
For example, this may involve working with IT teams to ensure something as simple as streamlined access to an efficient IT help desk. This would ensure optimized access to a VPN, prevent them from connecting to unsecured networks, and troubleshoot account or password issues to eliminate the temptation to share passwords.
“Work with business stakeholders and prioritize ease of use when implementing security policies,” Proofpoint said in its survey. “Users will be less willing to bypass systems if security aligns with their goals. And they are more likely to use a control if it is intuitive and does not require any training.”
Educate to create awareness and culture regarding cybersecurity
Education and awareness will continue to play a key role. If in many cases employees in the region are still unsure of their role in information security management, it makes sense to increase investment to offer attractive cybersecurity training resources that can contribute to improving the understanding of threats. .
This could include training resources that focus on the top risks for cybersecurity professionals. Employees could be better informed about practices like clicking on links or downloading attachments that could increase the risk of phishing or malware, while also having tools that flag emails as coming from outside the organization.
Building a strong cybersecurity culture is the ultimate goal. Organizations that are successful in engaging their employees in cybersecurity often enlist their employees to help the organization detect problems. For example, a Slack or communication channel reporting phishing can act as a vehicle for reporting, healthy competition, and rewarding staff.
