Workers in Oz most likely to break firms’ data security rules

Australia’s casual culture is leading to data security blind spots as employees and business leaders there have the highest prevalence of skirting data security policies and best practices, according to a report from Rubrik.

Rubrik Zero Labs  found that new technologies – from artificial intelligence (AI) to cloud – continue to create countless opportunities for modern cybersecurity threats that capitalise on the explosion of data worldwide.

Rubrik commissioned Wakefield Research to survey more than 1,600 CIOs and CISOs at companies of 500 or more employees across the United States, United Kingdom, France, Germany, Italy, Netherlands, Japan, Australia, Singapore, and India, between June 30 and July 11 in 2023.

Results show that significantly more Australian security executives (20%) said people inside their organisations were definitely accessing data in violation of data policies than the global average (11%).

Almost three times as many Australian boards and C-suites only receive data security updates when there is a material issue (11%) than the global average (4%). Australia also had the lowest instance of these senior decision makers receiving updates at least monthly (4%).

More than half (58%) of local organisations experienced a loss of sensitive data in the past year. Australian organisations reported the highest instance of multiple data loss events in the same year (31%). Globally, one in five organisations (20%) experienced multiple data loss events.

Antoine Le Tard, Rubrik VP in the Asia-Pacific region, said after more than 15 years living in Australia he had seen an admirable culture of “getting it done” among the workforce. But in recent years this increasingly put organisations at greater cyber risk.

“This desire to help as quickly as possible and remove friction from the customer relationship can sometimes lead to a liberal interpretation of organisational procedures and policies,” Le Tard said.

“While their heart is in the right place, we now live in an age in which cyber attackers are constantly looking for any inroads they can find – so it’s clear data security policies are a corner that should never be cut,” he added.

Le Tard said that while employees contravening data policies was one thing, board and C-suite executives should be more proactive in understanding their data security posture.

Despite the multiple high-profile data breaches over the previous 18 months, the research found more than one in 10 Australian senior decision makers were only receiving updates when a material issue arises – and by then, it’s already too late.

Le Tard observed that the trend globally was for the majority of senior leaders to receive data security updates quarterly or every six months. This is much better practice as it allows any issues to be addressed before they’re exploited.”  

“On the other side of the coin, in my conversations with CEOs, many feel as though they don’t know the right questions to ask of their security teams,” he said. “Further, the answers they do receive are often highly-technical and difficult to understand for those without a security background.”

Findings also show that Australian organisations have 5.7 million sensitive data records, on average.

Among Australian IT and security leaders surveyed, 88% believe their organisation’s current data growth is outpacing their ability to secure this data and manage risk. This is significantly higher than the global average of 66%.

The most widely reported data types compromised in Australia included account numbers (42%), authentication keys (35%), corporate financial data (35%), and intellectual property (35%).

The consequences that most concerned Australian security leaders following the loss of sensitive data included operational disruptions (29%), reputational damage (19%), customer loss (18%), and litigation (18%).

One quarter (25%) of Australian respondents reported their organisation being at ‘high risk’ of material loss of sensitive data in the next 12 months (72% reported either a ‘high’ or ‘moderate’ risk).