A total of 70% of APAC IT decision makers believe governments should do more to protect against security risks, according to a survey from KnowBe4.
KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, has announced new research which has found seven in 10 (70%) of IT decision makers feel the Australian and Singaporean Governments should be doing more to protect businesses in Australia and Singapore from cyberattacks.
In addition, only just over half (52%) of IT decision makers in Australia and Singapore say they are confident they understand their organization’s responsibilities regarding government reporting of cyber incidents and data breaches.
Jacqueline Jayne, Security Awareness Advocate for APAC at KnowBe4, said: “It’s clear from our research that IT leaders and businesses across APAC are not feeling supported by the government when it comes to security issues. There is more education required for those in IT about their obligations and commitments but also of the general public about how to stay safe online both at home and at work.”
Actions IT decision makers believe the government should be taking, include:
- Providing more education and awareness to all citizens about cyber-risks and how to stay safe online (45%)
- Providing more training for businesses on cyber-risks (42%), and
- Providing more funding for businesses for cyber protection (38%).
Who is responsible?
Jayne continues: “The reality is that cyberthreats are so pervasive that keeping individuals and businesses safe requires a combined effort from the government, business leaders, IT departments and employees alike. There is no panacea or magic technology solution that will protect your business. Everyone needs to be educated about potential threats and how to avoid them.”
Worryingly, fewer than half (45%) of APAC IT decision makers believe that it is everyone’s responsibility to protect the organization from cyberattacks.
· 33% believe it is the IT department’s responsibility
· 21% believe it is the employee’s responsibility
· 22% believe it is the government’s responsibility, and
· More than a quarter (27%) say technology should be protecting the organization from cyberattacks.
The employee view:
Given the IT department’s lack of clarity, it is unsurprising that employees are also unaware of who is responsible for cybersecurity:
· Almost a quarter (24%) say technology should be protecting the organization from cyberattacks.
· 21% believe it is the IT department’s responsibility, and
· 11% believe it is the government’s responsibility.
However, training regarding cybersecurity impacts employees’ views and makes them more likely to take responsibility for their own role in keeping the organization safe.
Those who have received training are more likely to believe it is the employees’ responsibility (16%) compared to those who have not received training (11%).
While in contrast, those who have never received training are more likely to believe it is the IT department’s responsibility (29% compared to 17%).
We asked Jacqueline Jayne, Security Awareness Advocate for APAC at KnowBe4, further questions to find out more.
What are the reasons for employees being unaware of who is responsible for cybersecurity?
Historically the IT Department has been responsible for cybersecurity. The attack vector has increased exponentially over the last 10 years. Technological developments, increased Internet speed, accessibility, the growth of mobile devices and more recently the move to remote working has meant that cybersecurity is literally on the move as we take our devices everywhere with us.
As a result, the responsibility when it comes to cybersecurity has spread from IT to literally everyone in an organization. IT remain the subject matter experts, policymakers and strategists in this space. However, with the increased level of risk and threats, we all have a role to play.
What is the best way to educate employees about their cybersecurity responsibilities?
The proven and most effective way to educate employees about their cybersecurity responsibilities is with an on-going, relevant and engaging cybersecurity awareness and education program. This includes a whole organization approach with executive buy-in, change management principles, training, conversations, communication and an opportunity to apply new knowledge with simulated social engineering (such as phishing emails). Also, make sure you explain the WIIFT (What’s In It For Them) – telling people to do something without a reason why just won’t work.
Why is training such a positive move when it comes to helping employees keep their organizations safe?
You don’t know what you don’t know. Continuous knowledge leads to awareness which after time will result in a change of behavior. Employees will be grateful that their organization is taking the time to keep them safe online as there are so many transferable skills that can be applied at home, with extended family and friends and especially with keeping our kids safe online.
Why is a combined approach to cybersecurity so important?
Let’s look at a non-cyber analogy. When you learn to drive a car the first thing you need to do is theory – the road rules. Then, you need to pass a test to obtain your learners permit where you can start to drive a car with a licensed driver for about 12 months. Then, there is another test to make sure you can apply everything you have learned about the road rules and can safely drive a car.
During this test, you need to demonstrate what you have learned. Here in Australia, it could take you three years until you can drive by yourself (without an L or P plate on your vehicle). Even after this, there are reminders on the road, safety campaigns from the local government (Drink and Drive, You’re a Bloody Idiot), speed cameras, red-light cameras, changes on the roads etc.
It never ends. Taking a combined approach when it comes to cybersecurity is very similar. We all need to know the cyberthreat landscape, what red flags we need to look for, how to avoid the dangers, have an opportunity to apply and demonstrate our new knowledge, understand that it will take time for us to do ‘all the things’ naturally as behaviour change takes time. Even when we are at the top of our game, know all the red flags to identify a scam email or disinformation on social media, there is always something new to learn as cybercriminals are always changing the rules.
Click below to share this article