More than 60% of Australian employees admit to circumventing their employers' cybersecurity policies for convenience, according to identity security provider CyberArk. Many also access workplace applications with unsecured personal devices.
The CyberArk Employee Risk Survey 2024, which surveyed 14,003 workers in the US, UK, France, Germany, Australia and Singapore in October 2024, revealed that Australian employees are generally more compliant with cybersecurity policies than others countries.
However, most continue to circumvent cyber policies to make their lives easier. CyberArk found common solutions among Australian employees, including using one password across multiple accounts, using personal devices as WiFi hotspots, and forwarding corporate emails to personal accounts.
SEE: Australian employees prefer convenience and speed over cybersecurity
In the report, CyberArk CEO Matt Cohen said the overall findings show that “high-risk access is dispersed across all workplaces,” potentially putting the organization's sensitive data at greater risk.
Australian employees access sensitive data from personal devices
The CyberArk report found that the majority of Australian employees (80%) access workplace applications (which often contain business-critical data) from personal devices that often lack adequate security controls. This rate of personal device usage is significantly higher than the global average of 60%.
Marketing departments were found to be the most likely (94%) to use personal devices to access work applications, followed by IT teams (93%). Worryingly, more than half (52%) of entry-level employees already had access to critical data with the workplace tools they used.
Australians are among the slowest to update the security of their personal devices
Australian employees have been found to be among the slowest globally to install firmware updates or security patches on their personal or BYOD devices once vendors release them.
Globally, more than a third (36%) of employees surveyed said they do not immediately install security patches or software updates for all of their personal devices. Additionally, 26% disagreed that they always use a VPN when accessing work resources, which increases the risk of cyberattacks.
Widespread employee access to actions valuable to attackers
The report found that widespread privileged access to systems allows many different employees to perform actions that would be considered very valuable to attackers taking over their accounts:
- 40% of respondents globally indicated that they regularly download customer data.
- 33% are capable of altering critical or sensitive data.
- 30% can approve large financial transactions.
Australian employees struggle with password reuse practices
Password reuse was also common globally. The report found that 49% of employees surveyed used the same login credentials for multiple work-related applications. In Australia, 33% of employees chose to use the same login credentials for both personal and work apps and services.
Globally, 41% of employees surveyed said they had shared sensitive workplace-specific information with third parties, which CyberArk said increased the risk of leaks and security breaches.
SEE: The pace of passcode adoption lags in Australia
Productivity is prioritized over cybersecurity policies around the world
Employees around the world are also circumventing cybersecurity policies to avoid friction. Among global respondents to CyberArk's survey:
- 20% used personal devices as Wi-Fi hotspots.
- 18% avoided installing an update because it takes too long.
- 18% regularly use personal devices instead of company-issued ones.
- 17% forward corporate emails to personal email accounts.
Some Australian employees never follow guidelines for using AI tools
More than 66% of Australian employees were found to be using AI tools. However, CyberArk warned that artificial intelligence tools can introduce new vulnerabilities, such as when an employee enters sensitive data into them.
This behavior appears to be occurring among Australian employees: almost 25% admitted to occasionally using AI tools that are not approved or managed by the organization.
SEE: Splunk urges Australian organizations to pursue LLMs
Additionally, more than a third (33%) of Australian employees say they “only sometimes” or “never” follow guidelines on handling sensitive information when using AI tools.
IT and security professionals encouraged to guide employees toward best practices
Thomas Fikentscher, area vice president of CyberArk for ANZ, said post-authentication breaches are expected to become even more common over time as Australian organizations continue to move workflows to the cloud. He said organizations should not rely solely on MFA to protect against fraudulent activity.
The CyberArk report also recommended that organizations reduce risky employee behaviors by adopting solutions that empower the workforce rather than slow it down. With the use of AI growing rapidly, CyberArk said security teams must recognize that it is here to stay and that the use of AI should be considered when modernizing security controls for the future.
