Who is putting your client’s company at risk for a cyber scam?

Two-in-five employees surveyed (42%) said they’ve seen an increase in cyber scam attempts over the last year, yet only a third of surveyed employees (34%) reported their company provides mandatory cyber security awareness training, finds new research by the Insurance Bureau of Canada (IBC). 

While employees‘ actions increase their companies’ cyber security risk, IBC said in a recent survey, cyber security measures must be led by the top and involve all employees, noted a cyber expert at the recent RIMS Canada Conference in Halifax.  

Employees are also underestimating the role they play in their companies’ cyber safety. Thirty per cent of respondents said they don’t believe cyber criminals would target them at work, while 28% of respondents said their employer is solely responsible for their workplace’s cyber security, IBC’s survey of 1,525 Canadian employees of small and medium-sized businesses found.  

“United you stand, divided you fall,” says Katharine Hall, cyber practice leader at Aon Canada in a RIMS Canada Conference panel discussion. “Cyber risk management must be led from the top. 

“IT, risk management, HR and legal need a coordinated approach to managing risks. It is not just one guy in IT who’s going to manage this for you,” she said. 

Employees must also be part and parcel of these cyber measures, according to IBC. 

“Everyone has a role to play in reducing cyber threats in the workplace,” said Celyeste Power, executive vice-president, strategic initiatives and advocacy at IBC in a press release. “While cyber insurance is an important backstop for businesses in the event of a cyber breach, it should be thought of as one component within a complete cyber risk mitigation strategy aimed at reducing an organization’s vulnerability to online threats.” 

However, IBC’s survey found that 72% of employees reported at least one behaviour that could allow a cybercriminal to gain access to their company’s computer systems, including:  

• 27% use one password to access multiple websites for work; 
• 23% access public Wi-Fi while using their work computer; 
• 19% download software/apps on their work devices that were not provided by their employer; 
• 7% allow family members or friends to use their work computer; and 
• 5% share their work login or password by email or text. 

What’s more, hybrid/remote employees are even more likely (77%) to take actions that may compromise their employer’s cyber security or data, IBC found — of increasing concern to insurers as hybrid work has become the new norm.

The research also found 21% of respondents believe most cyber breaches are minor and easy to resolve. However, the average total cost of a data breach to Canadian organizations was an estimated $7.3 million in 2021, according to IBM’s Cost of a Data Breach Report 2022.  

Employees, though, aren’t all to blame. Only half (50%) of employees said their organization has introduced multi-factor authentication, a security measure that insurers are increasingly requiring clients to have before they qualify for coverage.  

And only a quarter (24%) of employees reported that their employer conducts phishing email simulations to help promote cyber vigilance. 

Feature image by iStock.com/Mykyta Dolmatov