To coincide with National Privacy Awareness Week (3 – 9 May 2021), Mimecast Limited (NASDAQ: MIME), a leading email security and cyber resilience company, has released the results of an Australian-based survey by ACA Research, showing that 21% of workers surveyed have experienced a privacy incident over the last 12 months.
However, the data reveals that almost one in five (19%) respondents who experienced a privacy incident did not report it to their employer, with 38% of them stating they didn’t think it was that important when asked why.
Types of privacy incidents included emailing personal or confidential work information to the wrong recipient, falling victim to a malicious email that allowed unauthorised access to work systems or data and losing devices containing personal information.
According to Garrett O’Hara, Principal Technical Consultant at Mimecast, this shows that more work needs to be done to make privacy a priority and better protect company and personal information at a time when cybersecurity issues and malicious activity are more common than ever.
“In 2020 people were adapting to huge changes in work practices due to the COVID pandemic, so it’s not surprising that some basics in cybersecurity and privacy slipped,” said O’Hara. “Even so, not reporting a privacy issue is inexcusable, especially when you consider the significant security risk from disclosing personal information and professional data. There’s also the potential financial loss to businesses and individuals when privacy incidents go unchecked and remedies aren’t put in place.”
The data also shows that while 74% of Australians say they take privacy seriously and do enough to protect data in their organisation, their behaviour doesn’t always reflect this:
- Almost half (47%) of the respondents are downloading information onto personal devices
- A third of employees don’t always report strange or suspicious looking emails to their employer. This awareness is not consistent across the country –75% of Queenslanders say they would always report suspicious looking emails and not open them and in New South Wales/Australian Capital Territory (NSW/ACT) this figure drops to 60%
- 39% of Australian workers are careless when it comes to avoiding public Wi-Fi and only using secure networks for work purposes
Use of communication tools exploding
Of note, 82% of respondents are using collaboration tools like online chat, video and file sharing more than they were 12 months ago, contributing to increased privacy risks for companies and staff.
O’Hara stated this even further increases the need for Australian businesses to prioritise privacy.
“Undoubtedly email is still an important communication tool for businesses, but many workers now use chat, multiple messaging apps, video and other solutions, so the potential for privacy slip-ups is increasing across the multiple platforms,” said O’Hara.
“Technology alone isn’t going to solve the issue. Regular security awareness training – and the right kind – is critical. With a quarter of respondents stating they only receive training once a year, and over a third having skipped training, there’s a strong risk that what we call ‘unstructured data’ – like that contained in messages from one employee to another – can find itself on the wrong side of a privacy incident.
“In addition to this research, our recently released State of Email Security 2021 Report supports the assertion that many businesses need a stricter and more relatable approach to privacy training and processes. This report shows that 32% of Australian IT leaders feel their employees’ naivete about cybersecurity is their biggest challenge and 68% think it’s either likely or extremely likely their organisation will suffer a negative business impact from an email-borne attack in the next 12 months.”
Industries, businesses and states most at risk according to the ACA research:
- Mid-sized businesses (100-999 employees) performed the worst, with 28% of employees in mid-sized organisations saying they had been involved in a privacy incident. Still, 14% of respondents working for organisations with 1,000+ employees had been involved in a privacy issue.
- Industries whose workers had the highest rate of privacy issues were manufacturing (52%), followed by education, professional services and health care and social assistance (all at 15%).
- Even though they have the most regular training, 82% of respondents in manufacturing have skipped privacy training, compared with 42% in professional services, 24% in healthcare and social assistance and 23% in finance.
- Over one in three NSW/ACT employees know a colleague that has experienced a privacy incident in the past 12 months. This reduces to around one in five for employees in South Australia and the Northern Territory.
Advice for businesses
Training: make it relevant and engaging. A once-a-year check-up isn’t enough, especially when staff are more distracted than ever. Instead, use a combination of tools, some humour and make the training something that people engage with. With 90% of all cybersecurity incidents being a result of human error, regular and impactful training is essential. Training should also be compulsory, but if organisations make it interesting people will be less likely to want to skip it.
Culture: 10% of people who didn’t report a privacy incident said it was because they thought it would jeopardise their job, while 24% felt embarrassed. Fostering a culture of collaboration rather than punishment can encourage employees to speak up and create a more privacy-aware environment.
Evolving landscape: security threats, working conditions and technology are constantly changing. Organisational approaches to cybersecurity must keep pace. Cybersecurity training models and the technology used to protect against increasingly sophisticated cyberattacks, need to be updated for a COVID work environment.
Research is undertaken by ACA Research from 1st to 8th April 2021 and includes 1,045 responses from a sample of Australians working in businesses with 100+ employees, aged 18 and above.