SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
The case for prioritising IT privacy in businesses
Tue, 18th May 2021
FYI, this story is more than a year old

Our world is becoming more digitised with each passing day and – as we all know - the COVID-19 pandemic accelerated the process considerably. With a heavier reliance on cloud computing, eCommerce, remote collaboration tools and countless other technologies enabling the hybrid workforce, , we are living out our lives online like never before.

With the proliferation of new digital services available to consumers and businesses, it's becoming easier for users to lose track of how much personal information is floating around online and within the business and technology stacks of organisations. Addresses, dates of birth, banking details, photo ID, interests, hobbies, preferences — all being sent, stored and shared like never before.

Even with privacy procedures, policies and awareness campaigns like the recent National Privacy Awareness Week, many organisations and individuals in the ANZ region are still unaware of best practices to safeguard their privacy.

To boot, employees often aren't following company policies if they find themselves in the midst of a privacy incident.

Privacy isn't all about the end-user, especially when it comes to enterprises. Recently, Mimecast commissioned ACA Research into the privacy practices and pitfalls of employees of organisations with over 100 staff members.

The results are sobering, to say the least.

This survey revealed that 21% of Australian respondents had experienced a privacy incident over the last 12 months.

A privacy incident includes, but is not limited to, sharing confidential information with people outside the organisation, falling victim to malicious emails or other forms of malware, and losing devices containing personal or sensitive data.

Of those who experienced such an incident, almost 20% did not report it to their employers. When asked why, 38% stated they didn't think it was that important. This should be enough to send a shiver down the spine of any board member, head of risk, CISO, lawyer or IT manager.

The same survey also showed a discrepancy between what workers say and what they do when it comes to keeping confidential information within an organisation private.

While 74% of those surveyed believe they ‘take privacy seriously' and do enough to protect data in their organisation, 47% download information onto personal devices, and 39% don't take proper precautions when it comes to avoiding public WiFi.

Additionally, a third of respondents don't report suspicious emails to their employer, meaning CISOs and IT teams can often be flying blind until an incident flares up. With findings from the recent Mimecast State of Email Security Report showing that 70% of IT leaders expect an email-born attack will damage their business in 2021, the outlook is grim.

Even though 90% of all cybersecurity incidents involve human error, the blame for the shortfall in privacy behaviours cannot rest solely with employees.

Research shows that the right training is the most effective way to bring this statistic down. But for many organisations, it's just not prioritised enough. Many only have annual check-ups, and some organisations make privacy awareness training optional.

It's no coincidence that the ACA research found that, within the industry with the highest rate of privacy issues — manufacturing, at 52% — 82% of respondents report skipping privacy training.

“Technology alone isn't going to solve the issue,” says Mimecast principal technical consultant Garrett O'Hara.

“Regular security awareness training – and the right kind – is critical. With a quarter of respondents stating they only receive training once a year, and over a third having skipped training, there's a strong risk that what we call ‘unstructured data' – like that contained in messages from one employee to another – can find itself on the wrong side of a privacy incident.

Training needs to be engaging – rather than sleep-inducing – to discourage employees from skipping or downplaying it. Privacy awareness also needs to become part of organisational culture. This is evidenced by the results finding that 10% of people who didn't report a privacy incident said it was because they thought it would jeopardise their job, while 24% felt embarrassed.

Fostering a culture of collaboration, rather than punishment, following a privacy breach can go a long way to change this state of affairs.

“Staff and organisations have had to grapple with huge changes in work practices over the past year, so it's not surprising that some basics in cybersecurity and privacy slipped,” says O'Hara.

“Even so, not reporting a privacy issue is inexcusable, especially when you consider the significant security risks that arise from disclosing personal information and professional data.

“With the right kind of culture, and a year-long focus on effective awareness and training, organisations can work towards building a fence at the top of the cliff rather than needing an ambulance waiting at the bottom.

To find out more about making your organisation more cyber resilient, visit Mimecast's Destination: Cyber Resilience.