Mark Lukie, Director of Solution Architects – APAC, Barracuda, speaks to us about the company’s latest financial report, which highlights why Australian businesses in the banking sector need to take their cybersecurity more seriously.
Despite the current wave of cyberattacks targeting businesses, governments and individuals, there remains an alarming lack of awareness among many Australian employees of the risks they face.
The State of Cyber Resilience in Australia 2022 survey of Australian workers found the majority do not understand the threats that can exist within emails and could unwittingly cause significant damage and losses to their organization. The survey results are based on responses from more than 500 staff in Australian organizations of at least 50 employees.
Of those surveyed, 60% said they believed clicking on links contained in business emails was safe while more than half (52%) admitted they would click on a link if the email appeared to come from a sender that they trusted.
The results are a wake-up call for FinTech firms and show there is a pressing need for more cybersecurity awareness training. Staff need to understand the dangers that can be contained within emails and the steps that should be taken to minimize risks.
The need for training has been made even more acute with the shift to hybrid working patterns in the wake of the COVID-19 pandemic. When working from home, staff are no longer protected by corporate firewalls and other measures and are thus more susceptible to attacks.
Concerningly, more than half (51%) of survey respondents admitted they had suffered a cybersecurity breach during the past 12 months, with a further 16% saying this had occurred within the past year.
Phishing adds up as a top threat
Of the attacks that can be mounted via email, phishing remains the most dominant type experienced by Australian financial organizations. The increasing sophistication of cybercriminals means phishing emails can be very difficult to distinguish from legitimate messages.
Some can entice users to click on links and divulge personal information. Others come with attachments containing malicious code. Once opened, this code can rapidly infest the user’s device and then spread to wider corporate systems.
Of the survey respondents who admitted to having clicked on a malicious link within an email, almost half (48%) said they realised their mistake when they found themselves redirected to a suspicious website or service that requested details from them.
More encouragingly, 41% said the link was flagged as malicious by their organization’s IT systems, while a further 21% said a red flag was raised by their web browser. Less than a quarter (20%) said they became aware only after their device had become infected by malware or ransomware.
Invest in improved user training
When mapping out their staff training schedules for the coming year, the survey highlights the need for financial organizations to allocate more time and resources to cybersecurity awareness.
The survey found 92% of employees believe cybersecurity is either very or extremely important, however, more than one in three (37%) said they had not received training in any aspect of the topic.
Of those that had received training, 42% said it had been focused on phishing attacks while email security was nominated by 40% of respondents. This was followed by malware (29%) and ransomware (23%).
Asked to reveal the number of hours they had spent in cybersecurity awareness training during the past year, 43% admitted it had either been none at all or less than one hour. A further 32% of respondents said they had received between one and three hours, with just 9% receiving four and five hours.
When it comes to sharing the results of cybersecurity awareness training with other staff, 43% of those surveyed said this did occur. A further 34% said this didn’t happen while 23% were unsure.
Experience shows that sharing results can be a good way to reinforce employee awareness and understanding of the scale of the shared security challenge faced by everyone. It also reinforces the message that an organiation is taking the challenge seriously and undertaking steps to ensure that overall security standards are being raised.
By increasing the focus on cybersecurity training, a FinTech firm can ensure it is better placed to avoid potentially damaging attacks. The result will be greater awareness among staff and a more secure workplace.
Leading by example
Interestingly, the survey also revealed that senior managers are more likely to cause security issues than junior members of staff. This is because a higher proportion of managers admitted they circumvent security controls as part of their day-to-day activity.
When asked whether they use unauthorised third-party software or cloud services, more than half (52%) of senior managers confirmed this was the case compared with an average of 44% across all survey respondents.
The gap was even starker when it came to carrying out computer system updates where 63% of senior managers admitted they had done this. This is compared to 32% of all respondents.
These results are particularly surprising because the survey found 66% of senior staff considered they were ‘extremely’ aware of the importance of cybersecurity compared with the survey average of 53%. It’s clear that more managers need to lead by example.
The issue of cybersecurity is going to remain significant across the finance sector. Management teams, therefore, need to urgently put in place all the elements required to ensure comprehensive protection is achieved.