Half of APAC employees surveyed said IT managers not stressing importance of good security practices.
The study shows that while customer data breaches and reputational damage around the world is encouraging businesses to re-examine their security practices, employee cyber behaviour still needs to change.
Conducted by Forrester Consulting, the study found that while 59 per cent of security and IT managers think they are ‘ticking the security compliance box’, their employees report a huge disconnect. More than half of the 240 employees surveyed in APAC (53 per cent) disagree with that statement, and 51 per cent believe their managers do not stress the importance of good security practices.
The survey was conducted across Australia, Hong Kong, New Zealand and Singapore between January and February 2020. It involved 120 senior IT and business decision makers responsible for cybersafety at companies with more than 100 employees.
Respondents represented 20 industry sectors including government, healthcare, legal, marketing, energy, telecommunications, transport and logistics.
The survey included a wide range of questions around Security Awareness and Training (SA&T) Programs in APAC, including security measure and implementation, employee behaviour changes, security culture and overall effectiveness in delivering effective training programs.
Results of the employer survey were measured against feedback from 240 knowledge workers within these companies, who regularly use email and digital channels in the workplace.
Across the region the study also found that attending SA&T activities does not necessarily translate to a change in behaviour for employees, with a third of SA&T attendees still admitting to flouting security policies — increasing to more than 50 per cent for respondents in New Zealand.
Nick Lennon country manager for Mimecast Australia and New Zealand said while security leaders in APAC believe they’ve made security a social norm by leading and encouraging others.
This survey underscores that employees are not retaining, understanding or implementing key areas of cyber security training – and the existing outdated modes of training are simply not bringing about behavioural change,” he said.
“In the current COVID-19 business conditions, with many employees working remotely indefinitely, the last thing businesses need is a security breach.”
Additional findings from the Forrester Consulting study include:
- Traditional SA&T is long and unengaging, uses outdated content types, and does not rely on behavioural science to achieve its objectives of behaviour and culture change.
- As a result, employees’ behaviours are not changing, which further contributes to a disconnect between employers’ perceptions and how their employees really feel about security.
- APAC firms must advance SA&T programs by exploring alternative content types, providing different methods of delivery based on employee preferences, and extending training outside the workplace.
Line Larrivaud, Forrester Consulting Project Director for this survey said, almost half of business leadership teams (45 per cent) still have the incorrect perception that “security impedes their workforce productivity”.
“Attending SA&T activities does not necessarily translate into a change in behaviour for employees — with 31 per cent of training attendees in APAC still admitting to going around security policies. In New Zealand, more than half (52 per cent) admitted to this,” she said.
“At a time when global cybersecurity threats, customer data breaches and the potential for reputational damage has never been greater, it’s of vital importance that business leaders and employees understand and value the importance of cyber security best practice within their organisation. They simply cannot ignore the consequences or circumvent the protocols.