When it comes to cybersecurity in the workplace, we all have a role to play. Yet, despite frequent news of attacks and cyber breaches, both small business owners and their employees are not doing enough when it comes to being cyber savvy at work.
Insurance Bureau of Canada recently conducted two polls on actions, knowledge and sentiment about cyber risk and cyber security among employees and business owners at small and medium-sized businesses in Canada. The results show that many small businesses owners don’t believe they will experience a cyber attack, yet many employees are concerned they are putting their organizations at risk.
Here are the highlights of this year’s research findings:
25% of surveyed employees at small and medium-sized businesses don’t feel they have the tools and training needed to identify potential cyber threats at work
22% of surveyed employees at small and medium-sized businesses are concerned their actions could contribute to a cyber attack or data breach
75% surveyed employees at small and medium-sized businesses reported at least one behaviour that could potentially compromise their employer’s cyber security or data
45% of surveyed employees at small and medium-sized businesses have seen an increase in scam attempts while at work over the last 12 months.
72% of surveyed employees at small and medium-sized businesses have used a personal device for work at least once.
10% have shared confidential information with a publicly available chatbot or artificial intelligence (AI) platform.
The majority (53%) of surveyed employees at small and medium-sized businesses are making it more likely for hackers to get a hold of workplace passwords through actions such as saving passwords in internet browsers and using one password for multiple websites or for work and personal devices. Respondents were asked if they agree or disagree with each of the following statements:
I have sent a work document to a personal device (37% agreed)
I have saved passwords in my internet browser on my work computer (37% agreed)
I have used one password across multiple websites that I use for work (29% % agreed)
I have accessed public Wi-Fi while using my work computer (23% agreed)
I have used the same password for their work devices as their personal ones (19% agreed)
I have downloaded software/an app not provided by my employer onto my work computer (19% agreed)
I have allowed family members or friends to use my work computer (8% agreed)
I have shared their work login or password by email or text (5% agreed)
Based on responses to cyber security knowledge questions, one-in-ten surveyed employees at small and medium-sized businesses do not know how to properly respond to email phishing attempts, such as requests for personal information or company credit cards. Respondents were asked if they agree or disagree with each of the following statements:
If you get an email from someone at work asking you to share personal or sensitive information, you should first confirm they are who they say they are (90% agreed)
You should reply right away to an email from your boss asking for information for a company credit card to make an emergency purchase (13% agreed)
You should immediately click on a link or open an attachment if a vendor sends an overdue payment notice (8% agreed)
You should only share your password or login with a work colleague if it is an emergency (41% agreed)
When it comes to understanding of common cyber security terms:
97% correctly answered that phishing refers to a scam where fraudsters appear to be a reputable source or someone you know in order to solicit confidential information.
44% incorrectly answered that ransomware refers to when a criminal steals your work computer and asks you to pay for it to be returned.
Many employees may underestimate the role they play in being cyber safe at work and the impact of cyber attacks on their employer. Respondents were asked if they agree or disagree with each of the following statements:
38% believe that spam blockers and anti-virus software will prevent them from being able to click on a link or download an attachment from a fraudulent email.
22% believe that the majority of cyber attacks are minor and easy to resolve.
47% believe technology plays more of a role in protecting their workplace from cyber threats than they do.
30% believes that their employer is solely responsible for protecting the company/organization from cyber threats.
31% don’t believe cyber criminals would target them in order to gain access to the company they work for.
Respondents were asked which of the following statements applied to them:
69% said their computer has anti-virus software enabled
55% said their employer has a system in place to block suspicious email messages
54% said their employer has cybersecurity protocols in place
53% said they use multi-factor authentication to login to work accounts
35% said there has been an increased focus on cybersecurity at their company/organization since they shifted to hybrid/remote work
35% said their employer provides mandatory cybersecurity awareness training
27% said their employer conducts phishing email simulations to assist in promoting employee cyber vigilance and to uncover cyber vulnerabilities
18% said their employer has suffered a cyber attack/data breach
8% answered “none of the above”
Business Owner & Decision Maker Research
62% of respondents believe their business is too small to be targeted by cyber criminals
39% of surveyed business owners and decision makers at small and medium-sized businesses have reported an increase in scam attempts over the last 12 months
Only 48% of respondents have implemented defenses against a possible cyber attack
Many business owners and decision makers at small and medium-sized businesses think their business is too small to be targeted by cyber criminals. Respondents were asked if they agree or disagree with the following statements:
I believe my business is too small to be a target of cyber attack or breach (62% agreed)
I have seen an increase in scam attempts against my business over the last 12 months (39% agreed)
I believe it isn’t a matter of if, but a matter of when my business will be hit by a cyber attack (41% agreed)
My business has made cybersecurity a priority and created a cyber-safe culture (31% agreed)
I believe my employees are the biggest risk factor for a cyber attack or data breach (37% agreed)
Majority of small and medium-sized businesses do not consider cybersecurity to be a financial priority, while almost two-in-ten have had to cut back on what they spend on cyber security. Respondents were asked if they agree or disagree with the following statements:
Currently cybersecurity is not a financial priority for me (62% agreed)
I have had to cut back on what I spend on cybersecurity (17% agreed)
My business would qualify for cyber insurance if we decided to purchase a policy (45% agreed)
Respondents were asked, to the best of their ability, to answer the following:
Has your business implemented defenses against a possible cyber attack? (52% said no/don’t know)
Do you have any intention of purchasing cyber insurance within the next year? (80% said no/don’t know)
(View the full research report for methodology and demographic details.)
Both employers and staff play an important role in cyber security, and regular staff training is a critical component in reducing risk. Visit www.cybersavvycanada.ca for more information and link to trusted resources to improve your defenses against cyber crime. If you have a question about cyber insurance, phone IBC’s Consumer Information Centre at 1-844-2ask-IBC (1-844-227-5422).