Employee Data Access Behaviors Hurting Australian Employers

More than 60% of Australian employees admit to bypassing their employer’s cybersecurity policies for convenience, according to identity security vendor CyberArk. Many also access workplace applications with non-secure personal devices.

The CyberArk 2024 Employee Risk Survey, which polled 14,003 workers across the U.S., U.K., France, Germany, Australia, and Singapore in October 2024, revealed that Australian employees generally comply more with cybersecurity policies than other countries.

However, most are still bypassing cyber policies to make their lives easier. CyberArk found common workarounds among Australian employees, including using one password across multiple accounts, using personal devices as WiFi hotspots, and forwarding corporate emails to personal accounts.

SEE: Australian employees choosing convenience, speed over cyber security

In the report, CyberArk’s CEO Matt Cohen said the overall findings show that “high-risk access is scattered throughout every job role,” potentially putting sensitive organizational data at greater risk.

Australian employees access sensitive data from personal devices

The CyberArk report found that most Australian employees (80%) access workplace applications — often containing business-critical data — from personal devices that often lack adequate security controls. This rate of personal device usage is significantly higher than the global average of 60%.

Marketing departments were found to be the most likely (94%) to use personal devices to access work applications, followed by IT teams (93%). Concerningly, more than half (52%) of entry-level employees already had access to critical data with the workplace tools they used.

Australians among slowest to update their personal device security

Australian employees were found to be among the slowest globally to install firmware updates or security patches on their personal or BYOD devices upon release by vendors.

Globally, over a third (36%) of employees surveyed said they do not immediately install security patches or software updates for all their personal devices. In addition, 26% disagreed they always use a VPN when they access work resources, increasing the risk of cyberattacks.

Access to actions valuable for attackers widespread among employees

The report found that widespread privileged access to systems allows many different employees to perform actions that would be considered highly valuable to attackers taking over their accounts:

• 40% of global respondents indicated they habitually download customer data.
• 33% are able to alter critical or sensitive data.
• 30% can approve large financial transactions.

Australian employees struggle with password reuse practices

Password reuse was also common globally. The report found that 49% of employees surveyed used the same login credentials for multiple work-related applications. In Australia, 33% of employees chose to use the same login credentials for both personal and workplace applications and services.

Globally, 41% of surveyed employees said they have shared workplace-specific confidential information with outside parties, which CyberArk said heightened the risk of security leaks and breaches.

SEE: The pace of passkey adoption is lagging in Australia

Productivity being prioritised over cybersecurity policies worldwide

Employees globally are also bypassing cybersecurity policies to avoid friction. Among global respondents to CyberArk’s survey:

• 20% were using personal devices as Wi-Fi hotspots.
• 18% avoided installing an update because it takes too long.
• 18% use personal devices regularly instead of company-issued ones.
• 17% forward corporate emails to personal email accounts.

Some Australian employees never adhere to guidelines for using AI tools

Over 66% of Australian employees were found to be using AI tools. However CyberArk warned AI tools can introduce new vulnerabilities, such as when an employee puts sensitive data into them.

This behaviour appears to be happening among Australian employees: Nearly 25% admitted to occasionally using AI tools that are unapproved or unmanaged by the organisation.

SEE: Splunk urges Australian organisations to secure LLMs

Additionally, over a third (33%) of Australian employees say they either “only sometimes” or “never” adhere to guidelines on handling sensitive information in their use of AI tools.

IT and security pros advised to guide employees toward better practices

Thomas Fikentscher, CyberArk’s area vice president for ANZ, noted that post-authentication breaches are expected to become even more common over time as Australian organisations continue to shift workflows to the cloud. He said organisations should not rely on MFA alone to protect against fraudulent activity.

The CyberArk report also recommended that organisations reduce risky employee behaviours by adopting solutions that empower the workforce rather than slow it down. With AI use growing fast, CyberArk said that security teams need to recognise it is here to stay and that AI use should be considered when modernising security controls for the future.