Despite increased awareness of cybercrime and potential ramifications of online attacks, Australians continue to have a cavalier attitude towards online security, according to survey of over 1000 local consumers. This attitude carries over into the workplace and can put businesses at risk.
What's surprising is that those who have suffered a cyberattack in the past often continue to engage in unsafe online practices such as sharing passwords. Here are the full details of the survey.
Security vendor Norton by Symantec conducted a global survey across 21 countries and gathered responses from 1005 consumers in Australia. The objective was to gauge the attitude of Australians when it comes to protecting themselves online. Considering Australia is one of the most popular target countries for cybercriminals, especially when it comes to ransomware, the findings are not encouraging.
"Australians are generally becoming more aware of the risks when going about their business online, they're just not taking basic steps to address that," Symantec technology strategist Mark Shaw told Lifehacker Australia.
Around 76% of Australian consumers know they need to actively protect their information online, but most of them are still engaging in risky online behaviour. These include sharing passwords with other people (presumably family members) for online accounts such as Facebook, email and banking. One in four Australians can't tell the difference between a real message and a phishing email which makes it more likely for them to click on malicious links. Those who have been victims of cybercrime within the past year are also more likely to be repeat offenders, often continuing their unsafe online behaviour, according to the report.
It's troubling because these people know the dangers they face online; the awareness is there. For example, almost two-thirds (65 percent) of respondents said they believe entering financial information online when connected to public WiFi is riskier than reading their credit or debit card number aloud in a public place.
The problem is complacency. Despite knowing the dangers, consumers seem to have a false sense of security and innately trust technology vendors to secure their products, especially with internet-of-things (IoT) devices. Around 26% Australians that use connected home devices are relying on safety in numbers; they don't think their devices are worthwhile for hackers to attack. But as we've seen in the recent massive Mirai DDoS attack that took down a portion of the internet, insecure IoT devices can indeed be 'weaponised' by cybercriminals.
Globally, 62% of consumers said they believe connected home devices were designed with online security in mind, according to the Symantec research. That's clearly not the case. In recent years we've found out that a number of low-end connected device manufacturers don't really pay a lot of attention on security. Many produce devices with default login credentials which are often left unchanged by their customers.
As security expert Bruce Schneier recently said at a US congressional hearing:
"Our computers are secure for a bunch of reasons. The engineers at Google, Apple, Microsoft spent a lot of time on this. But that doesn’t happen for these cheaper devices. "…These devices are a lower price margin, they’re offshore, there’s no teams. And a lot of them cannot be patched. Those DVRs are going to be vulnerable until someone throws them away. And that takes a while. We get security [for phones] because I get a new one every 18 months. Your DVR lasts for five years, your car for 10, your refrigerator for 25. I’m going to replace my thermostat approximately never. So the market really can’t fix this."
Risky Online Behaviour In The Workplace
While the Norton By Symantec Report didn't dig deeper into how consumers behave online at work, the research does imply that risky online practices of Australians can extend into the workplace and put businesses at risk, according to Shaw.
"For example, phishing scams which have been around for over two decades, have become so sophisticated that Australians still have a hard time identifying fake emails from legitimate emails. According to the research, one in four in Australians cannot detect a phishing attack, and another 15 percent of Australians have to guess between a real message and a phishing email. If phishing emails come through on company connected devices, then clearly this behaviour can put businesses at risk too. "The reality is most people aren’t truly sure how to tell a real email from a fake email. Only half are doing it the right way by looking to see if the email is asking them to take a compromising action, like downloading attachments or sharing their passwords."
Ransomware is also known to spread through phishing email and cybercriminals are increasingly targeting businesses..
In 2014, a study by security vendor McAfee showed that 80 per cent of office workers were sucked in by phishing emails.. The situation has improved since then but earlier this year, a study by Duo Security found that one-third of employees are still falling for phishing attacks, putting their organisations at risk.
Last week, BAE Systems worked out the average cost of a cyberattack on Australian is over $622,000.
To help end-users avoid falling victim to email phishing scams, we have a quick 10 step guide here.
Here's a question for our readers: Has your organisation ever suffered a cyberattack because of a mistake by an end-user? Let us know in the comments.