How failing to protect employees online is harming Australian businesses

With an average of 164 cybercrimes reported every day, or one every 10 minutes, Australian organisations are under pressure to protect employees online.¹

The emergence of the borderless workplace has increased organisational vulnerabilities, and a ransomware attack is predicted to occur every 11 seconds in 2021 globally.² Malicious or criminal attacks remain the leading source of cyberbreaches for organisations, with a rising number of breaches caused by human error. Between July and December 2020, human error accounted for 38 per cent of data breaches, which was an increase of 18 per cent compared to the first half of the year.³ The threat of cybercrime is rapidly increasing, with cyberattacks growing by 48 per cent since March 2020 as bad actors specifically target remote workers.⁴

These statistics prove that Australian organisations need to do more to stay one step ahead when it comes to protecting employees and the business online.

The Real Business Impact of a Cyberbreach

The impact of a cyberbreach can be severe and can even cause businesses to completely fail. For business, a breach is costly in terms of financial loss, operational downtime, and reputational risk. Studies show that 29 per cent of businesses that faced a data breach ended up losing revenue and, of those businesses, 38 per cent lost 20 per cent or more of their income.⁵

In addition to revenue loss and operational downtime, cyberbreaches can result in legal action and fines against a business for failing to protect personal data. Under Australia’s Notifiable Data Breaches Scheme, any organisation or government agency covered by the Privacy Act 1988 must notify individuals affected and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to an individual whose personal information is involved.⁶

Failure to report a breach is considered a breach of the Privacy Act and involves legal repercussions in accordance with the Act.

A cyberbreach can also lead to reputational damage to the business that can take many years to recover from, with some organisations simply never recovering from the damage.

Key areas where organisations are failing to protect employees online

Many businesses don’t realise that the smallest and often unknown security gap can provide an easy pathway for malicious actors to breach employee and organisational data. There are four key areas where Australian organisations are currently failing to protect employees online:

Organisations of all sizes are targets for cybercriminals, with risks spanning across phishing attacks, malware and ransomware attacks, as well as insider threats. This is often because employees are either unaware of cyberthreats, don’t understand how to respond when a threat occurs, or are uninterested in cybersecurity as they believe it won’t happen to them.

In the current volatile market, understandably, most businesses are focused on economic recovery and building market resilience. However, business resilience depends on educating and engaging employees in cybersecurity. Employees are an organisation’s first line of defence and greatest weakness when it comes to cybersecurity, yet many organisations are still failing to educate and engage their employees about cyberthreats.

Many organisations focus business investment on potential growth areas, while leaving critical business systems such as legacy security software as an afterthought.

Unfortunately, businesses with outdated endpoint security or network protection are highly exposed when it comes to cyberthreats. Using outdated security tools makes companies just as vulnerable to a successful cyberattack as organisations that don’t have any cybersecurity protection. A small investment in endpoint security and network protection can protect the business from significant financial, operational, and reputational risk.

The move to remote work meant organisations needed to quickly adapt with new methods of file sharing among customers, suppliers, and employees. This has increased reliance on email and personal file-sharing applications. While this helped businesses to cope with the short-term disruption, in the longer term, organisations without a secure file-sharing platform are at greater risk of ransomware and malware attacks, as well as confidential business and employee data falling into the wrong hands.

Despite the risks, many organisations continue to figuratively leave their front door unlocked to criminals when it comes to online authentication. In a recent survey, more than 40 per cent of companies were breached via a weak password, with 48 per cent of workers using the same passwords for both their personal and work accounts. This may be why compromised passwords are responsible for 81 per cent of hacking-related breaches.¹ Without secure authentication processes, such as multifactor authentication and identity-based security, businesses are risking their valuable data and employees’ online safety.

Four Ways to Protect Employees and Businesses Online

While there are inherent risks with doing business online, there are also simple and affordable measures that organisations can use to protect the company and its employees. These include having a clear cybersecurity strategy and process, building a cybersecurity culture, adopting tools that protect employees online, and ensuring data governance:

A clear cybersecurity strategy, documented clearly so that everyone outside the IT team can understand it, helps to engage employees and creates an understanding of cybersecurity requirements within the business. The strategy should outline measures the business takes to proactively protect employees and business data online as well as employee responsibilities to ensure data protection. The strategy must also include clear processes and reporting mechanisms, so employees know how to report an incident and don’t feel uncomfortable with filing a report if they have caused a breach.

Businesses should make cybersecurity a core part of the business culture. This involves using engaging educational modules as part of induction training for new employees and maintaining regular short cybersecurity training updates to keep existing employees aware of emerging cybersecurity risks. Businesses should also regularly remind employees about how to protect themselves online in everyday life, and gamify the process using online scenarios to solidify cybersecurity training and increase adoption rates.

Implement a consolidated set of tools and processes when employees are online to
protect them no matter where they are based or on which device they choose for work.
These include tools and processes that encompass people and identity, vulnerability
management, endpoint security, application security, network and data protection, and
security monitoring and incident response.

Data is the new gold for organisations and its value only increases as more data types and volumes enter the business. To securely manage the velocity of organisational data, businesses should use a secure data solvency and archiving platform. Trusted, cloudbased platforms let businesses address legal and regulatory compliance, as well as data security, through a central repository that lets authorised users access the data insights they need on the devices they rely on.