Careless employees the greatest cybersecurity threat to Australian businesses
Sydney, Monday 6 February 2017
- 84% of Australian businesses consider careless employees to be the most likely source of cyber attack in 2016, up from 55% in 2015
- 90% identify poor user awareness/behavior as the main risk associated with the growing use of mobile devices
- Only 56% plan to invest in security awareness and training for staff, even though 71% of respondents nominated it as a high priority item
Australian organisations are increasingly aware of the threat a careless employee can pose to cybersecurity but are failing to invest in improving staff capability, according to EY’s Global Information Security Survey (GISS), Path to cyber resilience: Sense, resist, react.
The survey of 1,735 organisations globally, including 49 from Australia, showed that Australian businesses rank careless employees as the most likely source of a cybersecurity attack (84%), ahead of criminal syndicates (63%), hacktivists (57%) and state sponsored attackers (37%).
Australian respondents are also more concerned about the growing use of mobile devices than their global counterparts. In Australia, 90% of respondents nominated poor user awareness and behaviour as the main risk associated with the growing use of mobile devices, compared to 73% of global respondents.
Richard Watson, EY Oceania Cyber Leader said, while it was a clear the internal risks posed by employees was a serious concern for many Australian businesses, remedial action is not yet enough of an organisational priority.
“If businesses want to avoid the potentially significant monetary and reputational risks associated with a breach or attack resulting from staff carelessness, they need to invest in proper training – particularly when it comes to the safe use of mobile devices.
“While employees currently present the greatest risk to Australian organisations, as the front line of every organisation’s cyber defence, they also present the greatest opportunity to increase a business’s cyber resilience,” Mr Watson said.
This year’s survey also shows continued weakness in directors’ cybersecurity awareness, with over half of respondents (53%) indicating that their board does not have sufficient knowledge of information security and only 39% indicating they are taking positive steps to improve their understanding.
Mr Watson said while the focus on upskilling staff to deal with cyber threats was important, top-down leadership is also required to effectively address cybersecurity risks.
“Our report demonstrates Australian boards need to develop the capability to provide effective cybersecurity leadership to senior management, particularly when it comes to critical decisions around which cybersecurity functions are able to be effectively, and safely, outsourced.”
Notes to Editors
Some highlights of the industries surveyed globally
EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organisation, please visit ey.com.
This news release has been issued by Ernst & Young Australia, a member firm of Ernst & Young Global Limited.
Liability limited by a scheme approved under Professional Standards Legislation.
About the survey
EY’s 19th annual Global Information Security Survey captures responses from 1,735 C-suite leaders and IT executives and managers from most of the world’s largest and most recognized global companies. The survey was conducted between June 2016 and August 2016.