Coinciding with National Privacy Awareness Week (May 3-7), Mimecast released findings of an Australian-based survey by ACA Research, showing 21% of workers surveyed have experienced a privacy incident over the last year.
However, the data reveals that almost one in five (19%) respondents who experienced a privacy incident did not report it to their employer, with 38% of them stating they didn’t think it was that important when asked why.
Privacy incidents include emailing personal or confidential work information to the wrong recipient, falling victim to a malicious email that allowed unauthorised access to work systems or data, and losing devices containing personal information.
According to Garrett O’Hara, Mimecast Principal Technical Consultant, “the data signifies more work is needed to make privacy a priority and better protect company and personal information at a time when cybersecurity issues and malicious activity are more common than ever.”
O’Hara continues: “In 2020, people were adapting to huge changes in work practices due to the pandemic, so it’s not surprising that some basics in cybersecurity and privacy slipped.”
He warns: “Even so, not reporting a privacy issue is inexcusable, especially when you consider the significant security risk from disclosing personal information and professional data. There’s also the potential financial loss to businesses and individuals when privacy incidents go unchecked and remedies aren’t put in place.”
The data also shows that while 74% of Australians say they take privacy seriously and do enough to protect data in their organisation, their behaviour doesn’t always reflect this:
• Almost half (47%) of the respondents are downloading information onto personal devices
• A third of employees don’t always report strange or suspicious looking emails to their employer. This awareness is not consistent across the country: 75% of Queenslanders say they would always report suspicious looking emails and not open them, and in New South Wales/Australian Capital Territory (NSW/ACT) this figure drops to 60%
• 39% of Australian workers are careless when it comes to avoiding public Wi-Fi and only using secure networks for work purposes.
Use of communication tools exploding
The data says “82% of respondents are using collaboration tools like online chat and video and file sharing more than they were 12 months ago, contributing to increased privacy risks for companies and staff.”
This even further increases the need for Australian businesses to prioritise privacy, says O’Hara.
“Email is still an important communication tool for businesses, but many workers now use chat, multiple messaging apps, video and other solutions, so the potential for privacy slip-ups is increasing across multiple platforms”, he explains.
O’Hara believes security awareness training—“and the right kind”—is critical. With a quarter admitting they only receive training once a year, and over a third skipped training, he says “there’s a risk what we call ‘unstructured data’—like that contained in messages from one employee to another—can find itself on the wrong side of a privacy incident.
O’Hara cites the State of Email Security 2021 report, “asserting businesses need a stricter and more relatable approach to privacy training and processes. This report shows 32% of Australian IT leaders feel their employees’ naivete about cybersecurity is their biggest challenge and 68% think it’s either likely or extremely likely their organisation will suffer a negative business impact from an email-borne attack in the next 12 months.”
Industries, businesses, and states most at risk according to the ACA research:
• Mid-sized businesses (100-999 employees) performed the worst, with 28% of employees in mid-sized organisations saying they had been involved in a privacy incident. Still, 14% of respondents working for organisations with 1,000+ employees had been involved in a privacy issue.
• Industries whose workers had the highest rate of privacy issues were manufacturing (52%), followed by education, professional services, and health care and social assistance (all at 15%).
• Even though they trained regularly, 82% of respondents in manufacturing have skipped privacy training, compared with 42% in professional services, 24% in healthcare and social assistance and 23% in finance.
• Over one in three NSW/ACT employees know a colleague that has experienced a privacy incident in the past 12 months. This reduces to around one in five for employees in South Australia and the Northern Territory.
Advice for businesses
Mimecast advises to make training relevant and engaging. The email security company also recommends “a combination of tools.”
With 90% of all cybersecurity incidents being a result of human error, regular, and impactful training is essential. Training should “also be compulsory”, the Mimecast suggests, but if organisations make it interesting people will be less likely to want to skip it.
10% of people didn’t report a privacy incident because “they thought it would jeopardise their job, while 24% felt embarrassed. Fostering a culture of collaboration rather than punishment can encourage employees to speak up and create a more privacy-aware environment.”
Security threats, working conditions, and technology are constantly changing. Organisational approaches to cybersecurity must keep pace. Cybersecurity training models and the technology used to protect against increasingly sophisticated cyberattacks need to be updated for the COVID-19 work environment.
Here is Mimecast's great infographic: