Employee behaviour is a critical factor in companies preventing data breaches. Adhering to cybersecurity practices, such as regular training and communication with IT departments, can help to protect against severe security risks. But how seriously do companies in Australia take cybersecurity culture? What measures do they have in place? Read our survey results to find out.
In this article
- Just over a quarter of companies faced a data breach in 2023
- Most employees think their company takes cybersecurity seriously
- 45% of employees use the same password for multiple accounts
- 2FA is one of the most implemented cybersecurity measures by companies
- The majority of companies require cybersecurity training at least once a year, but employees want more
Everyone in a company, from leadership to frontline employees, shares the responsibility for cybersecurity. An organisation with a cybersecurity culture sets the tone for how employees perceive and prioritise risks and data breaches. Such practices reinforce that it’s not only the IT department’s responsibility but a collective effort that requires the participation of every worker.
High-risk or thoughtless employee behaviour can make companies vulnerable to cyberattacks, especially during the age of remote work. For example, employees working remotely often use personal networks, which may lack the same level of security as corporate ones. Cybercriminals can exploit home network vulnerabilities to gain unauthorised access to sensitive information. In this case, employee awareness and virtual private networks (VPNs) are essential.
Capterra’s first article in this two-part series examined the cybersecurity threats in Australia that companies are most concerned about. But are organisations aware of high-risk employee behaviours? Are they offering enough in the way of employee cybersecurity training programs? Capterra surveyed 714 people working for companies that use cybersecurity tools to learn more about their cybersecurity protocols. The full methodology is at the bottom of this article.
Just over a quarter of companies faced a data breach in 2023
At the end of 2023, The Office of the Australia Information Commissioner (OAIC) released its Notifiable Data Breaches report covering the first six months of the year. It highlighted that 409 data breach notifications were received in this time period, with 23 breaches affecting more than 5,000 Australians and two affecting more than 10 million. With this in mind, human error is one of the leading causes of data breaches, whether employees fall victim to phishing attacks, use weak passwords or inadvertently disclose confidential data.
Capterra’s own Data Security Report found that over a quarter of employees (26%) said their company experienced a data breach in the 12 months prior to taking the survey (17% said they had one data breach, and 9% said they had multiple breaches). Whilst the majority (63%) said their company hadn't faced a breach, the outlook could still be better for businesses in Australia.
When asked which types of data breaches their company experienced, survey takers mostly said that hackers or outsiders had maliciously accessed their systems (52%). Hackers can strike in various ways, such as gaining access to databases and extracting and transferring sensitive data from the network. Other ways in which companies experienced breaches include:
- A database or other online data source was accidentally left unsecured (46%)
- An employee or other insider stole company data (31%)
- A company device was lost or stolen (19%)
Most employees think their company takes cybersecurity seriously
Employee confidence in their company prioritising security is a key factor in building a resilient cybersecurity culture, reducing human error and enhancing incident response capabilities. Capterra found that a combined total of 93% of employees have some level of confidence in their company taking cybersecurity seriously (35% said they were very confident, 38% said quite, and 20% said somewhat).
When asked whether they had ever raised cybersecurity concerns with the company's IT department, only 36% of respondents said yes. Perhaps this is due to a lack of employee awareness of potential threats, and workers may need help understanding the significance of certain activities.
Employees should be considered the first line of defence against data breaches as they may be the first to notice suspicious activities or other potential security risks within the company. Encouraging employees to report concerns allows businesses to detect and respond to potential threats early, preventing them from escalating into more significant security incidents. But how were employees received by their IT departments when they did report a security concern?
Respondents most frequently said the IT team was open to communication (60%), encouraging them to voice any concerns and feedback on security measures. Encouraging employee involvement was the next most cited response: 49% of those who reported a cybersecurity concern said their IT department wanted workers to suggest ideas and report vulnerabilities.
Other ways companies respond to employee security concerns include:
- Employee training (38%)
- Reminder of cybersecurity policies and guidelines (34%)
- Transparency about the incident from IT (34%)
45% of employees use the same password for multiple accounts
The level of access that employees may have to company data varies and depends on factors such as responsibilities and data access policies. For example, employees in accounts will have access to financial systems, while those in HR can access personnel records.
Most survey takers said employees in their company only have access to the data needed to perform their jobs (57%). A further 30% said they had access to more data than strictly necessary, and 9% said they had access to all company data. With almost 40% of employees having access to too much data, organisations should assess their permissions to reduce the risk of data breaches from insider threats, especially when it comes to trade secrets or proprietary data.
Password management habits are also crucial, as poor practices can expose a company to various data breach risks and compromised systems. But what are the password management habits of employees when accessing their accounts? Nearly half of employees (45%) said they use the same password for multiple accounts. Cybercriminals often attempt to exploit password reuse, and compromising one account allows them to gain unauthorised access to additional ones, including those with sensitive data.
A smaller group of survey takers (13%) said they had experienced an account takeover —where someone stole their username and password to access an online account— within the last year. Even though the majority (83%) said they hadn't experienced an account takeover, it highlights that companies need to tighten employee awareness and cybersecurity practices for the few who have been victims of a data breach.
2FA is one of the most implemented cybersecurity measures by companies
High-risk employee security behaviour is further revealed in our survey results, as over half of respondents (53%) said they or someone in their company had clicked on a malicious link in a phishing email. Employees may click on phishing links because the emails mimic the style and format of internal company communications. Employees may not carefully scrutinise emails in a busy work environment, especially if they receive a high volume of messages —again reiterating the need for cybersecurity awareness and regular training.
But what other security measures should companies enforce to aid data breach prevention? Implementing strong authentication methods adds an extra layer of security beyond passwords. When asked what measures or policies their company has implemented to protect against cyber threats, two-factor authentication (2FA) (62%) and a password policy were most popular (61%).
Enabling multi-factor authentication (MFA), such as 2FA, is useful for employees accessing company systems or email remotely, especially over public networks. It adds an extra layer of security for employees who connect from outside the corporate network, ensuring that even if login credentials are compromised, an additional factor is required for access. Regardless of whether a company has implemented password policies, it doesn't necessarily mean employees are adhering to the guidelines.
The majority of companies require cybersecurity training at least once a year, but employees want more
There are a multitude of reasons why regular employee cybersecurity training is crucial, especially as it keeps staff informed about the latest cyber threats, phishing techniques, malware and other types of attacks. This level of awareness enables workers to recognise and respond to emerging threats promptly.
Respondents had varying answers when asked how often their company required them to undergo cybersecurity awareness training. A combined total of 64% of employees said they had training at least once a year (28% said once every six months and 36% once a year).
For others, cybersecurity training proved to be less frequent:
- 18% said they did not have it regularly
- 8% said they only had it when they joined the company
- 10% had never received any cybersecurity training
However, it is apparent that employees want to learn more about cybersecurity practices. When they were asked how their company could better engage them in security efforts, education and training was the top answer (58%). Regular training contributes to building a strong security culture within an organisation, and once ingrained, employees are more likely to prioritise security measures in their daily activities. So, what measures should companies implement?
The following are steps to enhance employee behaviours with cybersecurity:
1. Comprehensive cybersecurity training: Provide regular cybersecurity training for all employees. Cover topics such as phishing awareness, password security, safe browsing practices, and reporting security incidents.
2. Simulated phishing exercises: Conduct simulated exercises to test employees' ability to recognise and avoid phishing attempts. These exercises provide valuable insights into areas that may require additional training.
3. Clear security policies and guidelines: Establish clear and concise cybersecurity policies and guidelines. Ensure employees understand the rules and expectations regarding data handling, access controls, and secure communication.
4. Regular security reminders: Send regular security reminders and updates to keep security awareness in mind. These can include quick tips, examples of current threats, and reminders of key security practices.
5. Provide secure communication tools: Offer and encourage using secure communication tools and platforms. This includes encrypted email services, secure messaging apps, and collaboration tools with built-in security features.
Data for Capterra's Security Report survey was collected in November 2023. Results comprise responses from 714 participants. The criteria to be selected for this study are as follows:
- Australian resident
- Between 18 and 65 years old
- Employed full-time in a company with more than one employee
- Works for a company that uses cybersecurity software tools for protection and has some awareness of which tools are used
- A subset (568) are involved/aware of their company’s cybersecurity measures