Cyber Crime
 | 8 min read

Research reveals big difference between how employees and IT decision makers view cyber security

By  Media Release,
 4 March 2021

The ‘human factor’ has long been a weak link when it comes to cyber security.


Businesses can have the best protection available, but if a staff member unknowingly lets a cybercriminal into the system then it won’t matter.


Independent research commissioned by Aura Information Security reveals staff are not as secure as their IT managers may think.


While 62 percent of New Zealand businesses say they carry out security training exercises with their staff, only 37 percent of Kiwis say they have received training on good cyber security practices[1].


This disconnect is further emphasised by password practice. Most[2] IT managers encourage all staff to use a password manager to ensure the most common password mistakes aren’t made. However, it doesn’t appear staff are taking this advice with one third[3] of employees admitting to reusing the same passwords across both work and personal devices and accounts.


Hilary Walton, Kordia Chief Information Security Officer, says this is something New Zealand businesses need to address right away.


“Cybercriminals ran rampant in 2020 and it’s only getting worse. New Zealand businesses are becoming more aware of the risks, but many aren’t doing enough to protect themselves. These businesses may have gotten lucky by not being targeted yet, but with more and more attacks happening each day, it’s only a matter of time.


“A good place to start is properly educating staff because it’s incredibly easy for complacency and cyber fatigue to set in. This shouldn’t just consist of a one-off cyber security lesson which is quickly forgotten, but constant reminders and check-ins to ensure best practice is being followed. Reducing human errors will significantly strengthen your cyber defence.”


Poor password practice isn’t the only issue making Kiwi businesses vulnerable to attacks. Organisations are also at risk from delayed software updates and a lack of care with dodgy links and attachments.


Almost a third[4] of Kiwis don’t update their work computer or smartphone as soon as software updates become available. Walton says this is an opening that hackers can easily exploit.


“It’s also concerning to see 20 percent of New Zealanders only sometimes check links to ensure they’re legitimate. This is something we need to do 100 percent of the time. The fact that 17 percent of respondents said they’re not confident they could even tell the difference between a legitimate email and a fake emphasises the need to educate staff without delay.


“Sometimes it’s not even the staff member who clicks through to a dodgy link and lets malware into the system. The survey shows 15 percent of parents let their children use their work devices, further increasing the likelihood of a mistake being made.”


The research also revealed employees vastly underestimate how often their workplace is targeted by hackers with an alarming 25 percent thinking their work isn’t targeted at all. The reality is in the last 12 months, half[5] of Kiwi businesses were affected by 1-10 ransomware attacks and a further 35 percent were affected by 11 or more.


“After a year like 2020, the last thing our businesses need is to deal with a cyber-attack shutting systems down or stealing sensitive information. I’d suggest all Kiwi businesses make it a 2021 goal to strengthen their cyber security and educate their staff. This needs to be made a priority as soon as possible.


“It’s also important to create a culture where staff feel comfortable to come forward if they think they may have clicked the suspicious link or attachment. The sooner the IT department knows about an issue the better. Hackers are known to lie dormant once they get access to a system, waiting for the opportune time to strike to do as much damage as possible. If you’re unsure, it’s always best to let the IT team know,” concludes Walton.


Four tips to reduce your cyber risk right now:

  1. Run a password manager workshop to show your team how easy it is to use unique passwords across applications.
  2. Chances are you started using work collaboration tools a whole lot more during lockdown. Make good use of these by communicating your organisation’s key security messages on a regular basis. Simple ‘tip of the day’ type messages can work well.
  3. Teach your team how to easily update smartphone apps in one hit. This is important because all apps encounter vulnerabilities, such as the one WhatsApp announced earlier this year which was exploited by remote attackers.
  4. Explain how to spot ‘phishy’ emails. Run a mini workshop or make use of the many great resources available online, for example Kordia’s CyberWise module.


[1] 62% of IT decision maker respondents said they carry out employee cyber security training exercises, while 37% of employees said they received training on good cyber security practices from their company.

[2] 65 percent of IT decision makers encourage employees to use a password manager

[3] 32 percent of respondents said when logging into apps, computers, or websites that they reuse the same passwords on both work and personal accounts or devices

[4] 31 percent of respondents say they don’t update their smartphone and computer they use for work the moment updates become available

[5] 51 percent of IT decision makers say they estimate they are affected by 1-10 ransomware attacks per quarter