The ‘human factor’ has long been a weak link when it comes to cyber security.
Businesses can have the best protection available, but if a staff member unknowingly lets a cybercriminal into the
system then it won’t matter.
Independent research commissioned by Aura Information Security reveals staff are not as secure as their IT managers may
While 62 percent of New Zealand businesses say they carry out security training exercises with their staff, only 37
percent of Kiwis say they have received training on good cyber security practices
This disconnect is further emphasised by password practice. Most
IT managers encourage all staff to use a password manager to ensure the most common password mistakes aren’t made.
However, it doesn’t appear staff are taking this advice with one third
of employees admitting to reusing the same passwords across both work and personal devices and accounts.
Hilary Walton, Kordia Chief Information Security Officer, says this is something New Zealand businesses need to address
“Cybercriminals ran rampant in 2020 and it’s only getting worse. New Zealand businesses are becoming more aware of the
risks, but many aren’t doing enough to protect themselves. These businesses may have gotten lucky by not being targeted
yet, but with more and more attacks happening each day, it’s only a matter of time.
“A good place to start is properly educating staff because it’s incredibly easy for complacency and cyber fatigue to set
in. This shouldn’t just consist of a one-off cyber security lesson which is quickly forgotten, but constant reminders
and check-ins to ensure best practice is being followed. Reducing human errors will significantly strengthen your cyber
Poor password practice isn’t the only issue making Kiwi businesses vulnerable to attacks. Organisations are also at risk
from delayed software updates and a lack of care with dodgy links and attachments.
Almost a third
of Kiwis don’t update their work computer or smartphone as soon as software updates become available. Walton says this
is an opening that hackers can easily exploit.
“It’s also concerning to see 20 percent of New Zealanders only sometimes check links to ensure they’re legitimate. This
is something we need to do 100 percent of the time. The fact that 17 percent of respondents said they’re not confident
they could even tell the difference between a legitimate email and a fake emphasises the need to educate staff without
“Sometimes it’s not even the staff member who clicks through to a dodgy link and lets malware into the system. The
survey shows 15 percent of parents let their children use their work devices, further increasing the likelihood of a
mistake being made.”
The research also revealed employees vastly underestimate how often their workplace is targeted by hackers with an
alarming 25 percent thinking their work isn’t targeted at all. The reality is in the last 12 months, half
of Kiwi businesses were affected by 1-10 ransomware attacks and a further 35 percent were affected by 11 or more.
“After a year like 2020, the last thing our businesses need is to deal with a cyber-attack shutting systems down or
stealing sensitive information. I’d suggest all Kiwi businesses make it a 2021 goal to strengthen their cyber security
and educate their staff. This needs to be made a priority as soon as possible.
“It’s also important to create a culture where staff feel comfortable to come forward if they think they may have
clicked the suspicious link or attachment. The sooner the IT department knows about an issue the better. Hackers are
known to lie dormant once they get access to a system, waiting for the opportune time to strike to do as much damage as
possible. If you’re unsure, it’s always best to let the IT team know,” concludes Walton.Four tips to reduce your cyber risk right now:Run a password manager workshop to show your team how easy it is to use unique passwords across applications.Chances are you started using work collaboration tools a whole lot more during lockdown. Make good use of these by
communicating your organisation’s key security messages on a regular basis. Simple ‘tip of the day’ type messages can
work well.Teach your team how to easily update smartphone apps in one hit. This is important because all apps encounter
vulnerabilities, such as the one WhatsApp announced earlier this year which was exploited by remote attackers.Explain how to spot ‘phishy’ emails. Run a mini workshop or make use of the many great resources available online, for
example Kordia’s CyberWise module.
62% of IT decision maker respondents said they carry out employee cyber security training exercises, while 37% of
employees said they received training on good cyber security practices from their company.
65 percent of IT decision makers encourage employees to use a password manager
32 percent of respondents said when logging into apps, computers, or websites that they reuse the same passwords on
both work and personal accounts or devices
31 percent of respondents say they don’t update their smartphone and computer they use for work the moment updates
51 percent of IT decision makers say they estimate they are affected by 1-10 ransomware attacks per quarter