CISOs across the Asia-Pacific region say careless or unaware employees are their primary vulnerability to cyber attacks, according to a new report.
More than half of the 1,700 chief information security officers and other executives responding to EY’s 2017 APAC Fraud Report said these staff had increased their risk exposure.
EY said that the in the wake of an explosion in cybercrime, APAC staff have a great awareness of the cyber security issue in general than they did in 2015. But they have yet to understand how great a threat cyber attacks and insider threats pose to their own organisations.
Almost a quarter (24 per cent) of employees responding to the research said they did not know whether their organisation had been a victim of cyber attacks in the last two years. Only one-third believed they had been.
The reality is that, over the last two years, the quantum, variety and sophistication of cyber attacks have all increased exponentially, EY said in its report.
“In our experience, over this time period most organisations have likely already been attacked – even though they may not know it yet. Many cyber attacks are not discovered for months and sometimes years,” EY said.
“In one investigation if hackers who had gained access to customers’ online trading accounts at a global bank, EY, found user access anomalies dating back more than 12 months before the identified hacking incident.”
Meanwhile, almost half (47 per cent) of research respondents say there’s no particular company policy controlling how staff use personal devices for work-related activities at their organisations.
This creates vulnerabilities with about half of the respondents agreeing that they conduct business using their personal mobile devices even if they have been issued with a work device.
EY Oceania managing partner, fraud investigation & dispute services, Rob Locke, said Asia-Pacific organisations can no longer afford to be complacent when it comes to cyber threats.
“Whilst companies often think of cyber attacks as external threats, they would be well advised to ignore the very real threats posed internally.”
“Current cyber policies are inadequate in safeguarding against rogue employees and criminals who are intent on stealing data, intellectual property and even cash,” Locke said.
“Given 40 per cent of Australian survey respondents say they do not have a policy in place for using personal devices at work, companies must design and enforce policies that help mitigate the risk of both external and internal cyber attacks.”
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.