According to identity security vendor CyberArk, more than 60% of Australian employees admit to bypassing their employer’s cyber security policies for convenience. Many also access workplace applications using unsecured personal devices.
The CyberArk 2024 Employee Risk Survey, which surveyed 14,003 workers in the US, UK, France, Germany, Australia and Singapore in October 2024, found that Australian employees are generally more compliant with cybersecurity policies than other countries.
However, most still circumvent cyber policies to make their lives easier. CyberArk found common solutions among Australian employees, including using one password for multiple accounts, using personal devices as WiFi hotspots, and forwarding company emails to personal accounts.
SEE: Australian workers choose convenience and speed over cyber security
CyberArk CEO Matt Cohen said in the report that the overall findings show that “high-risk access is dispersed across every job role,” potentially putting sensitive organizational data at greater risk.
Australian employees access sensitive data from personal devices
A CyberArk report found that the majority of Australian employees (80%) access workplace applications – often containing critical business data – from personal devices that often lack adequate security controls. This rate of personal device usage is significantly higher than the global average of 60%.
Marketing departments were found to be the most likely (94%) to use personal devices to access work applications, followed by IT teams (93%). More than half (52%) of entry-level employees already had access to critical data through the workplace tools they used.
Australians are among the slowest to update the security of their personal devices
Australian employees were found to be among the slowest in the world to install firmware updates or security patches on their personal or BYOD devices after being issued by vendors.
Overall, more than a third (36%) of employees surveyed said they do not immediately install security patches or software updates for all of their personal devices. Additionally, 26% disagreed that they always use a VPN to access work resources, which increases the risk of cyber attacks.
Access to actions valuable to attackers widespread among employees
The report found that widespread privileged access to systems allows many different employees to perform actions that would be considered highly valuable to attackers taking over their accounts:
- 40% of global respondents said they usually download customer data.
- 33% are able to change critical or sensitive data.
- 30% can approve large financial transactions.
Australian employees struggle with password reuse practices
Password reuse was also common worldwide. The report found that 49% of employees surveyed used the same credentials for multiple work applications. In Australia, 33% of employees choose to use the same login information for both personal and work apps and services.
Overall, 41% of employees surveyed said they shared confidential workplace-specific information with external parties, which CyberArk said increased the risk of leaks and security breaches.
SEE: Pace of passkey adoption in Australia lags
Globally, productivity is prioritized over cybersecurity policies
Employees around the world are also bypassing cybersecurity policies to avoid friction. Among CyberArk’s global survey respondents:
- 20% used personal devices as Wi-Fi hotspots.
- 18% avoid installing an update because it takes too long.
- 18% regularly use personal devices instead of business devices.
- 17% forward company emails to personal email accounts.
Some Australian employees never follow guidelines for using AI tools
More than 66% of Australian employees were found to be using AI tools. However, CyberArk warned that AI tools could introduce new vulnerabilities, such as when an employee feeds sensitive data into them.
This behavior appears to be occurring among Australian employees: Almost 25% admitted to occasionally using AI tools that are not approved or managed by the organization.
SEE: Splunk calls on Australian organizations to secure LLM
Additionally, more than a third (33%) of Australian employees report that they either “only sometimes” or “never” follow guidelines for handling sensitive information when using AI tools.
IT and security professionals advise to guide employees to better practices
Thomas Fikentscher, CyberArk’s regional vice president for ANZ, noted that post-authentication breaches are expected to become more common over time as Australian organizations continue to move workflows to the cloud. He said organizations should not rely solely on the MFA to protect against fraudulent activity.
The CyberArk report also recommended that organizations reduce risky employee behavior by adopting solutions that empower the workforce rather than slow it down. As the use of artificial intelligence is growing rapidly, CyberArk said that security teams need to realize that it is here to stay and that the use of artificial intelligence should be considered when modernizing security controls for the future.
