Many failed to differentiate between real and fake emails, while others used their work email for personal matters.
In an online study conducted online in early December 2021 comprising 1,045 Australian office workers (any industry), 204 Australian IT decision makers (any industry), 1,012 Singaporean office workers (any industry) and 200 Singaporean IT decision makers (any industry), respondents who were IT decision-makers were “complacent about risks to the business” arising from phishing and Business Email Compromise.
In the study, 45% of IT decision makers in the two countries indicated they were concerned about phishing as a risk to their organization, and 34% were concerned about business email compromise.
Among IT decision makers who responded, findings include:
- Only 3% in the study were able to correctly identify whether example emails and SMS were real or fake.
- 27% in the study used their work phones for personal activity and 25% used their work email address for personal activity.
- 46% in the study indicated they were confident they would know the actions needed following a cyber incident or data breach.
- 47% in the study believed their employees understood the business impact of falling victim to a cyberattack (47%), while 42% were confident their employees can identify phishing and BEC emails; while 39% believed their employees reported emails believed to be suspicious.
- 77% indicated that they planned on investing in cybersecurity in 2022. Of these, 48% indicated they were “most likely” to invest on new cybersecurity software solutions, while 47% indicated intentions to spend on awareness training programs with ongoing and relevant content.
- Other areas of investment indicated by respondents included infrastructure (39%), employee policy changes related to cybersecurity (33%), cybersecurity insurance (35%) and simulated phishing and social engineering for end users (29%).
According to Jacqueline Jayne, Security Awareness Advocate (APAC), KnowBe4, which conducted the study: “When employees are using their work email address for personal activities such as online shopping, they are much more likely to fall victim to a phishing attack that uses a hook such as delivery delays to entice the victim to click through. Having a clear separation between work and personal activities makes it much easier to spot when an email is a scam: if you know you never shop online using your work email address, then you know that email from Amazon cannot be real.”