Skip to main content

Do your employees know how to combat cyber attacks?

Growth in employee-related risk exposure

In the last two years, criminal syndicates have been increasingly targeting human rather than technological weaknesses in corporate defenses. This is why, in the 2016 EY Global Information Security Survey (GISS) of more than 1,700 chief information security officers (CISOs) and other executives, respondents rated careless or unaware employees as their primary vulnerability to cyber attack, with 55% saying this had increased their risk exposure. As a result, security awareness and training was the number one priority for increased spending on improving data security. In fact, nearly half (49%) of the 92% of surveyed CIOs and CISOs said they would spend more on training in the coming year.

Our 2017 APAC Fraud Survey findings reflect this trend, with an 8% increase in respondents who had received data security training — 63% up from 55% in 2015.

Employees underestimate cyber threats

In the wake of an explosion in cybercrime, APAC employees have a greater awareness of this issue in general than in 2015. However, they have yet to understand how great a threat cyber attacks and insider threats pose to their own organizations. Almost a quarter (24%) of employees in our 2017 survey do not know whether their organization had been a victim of cyber attacks in the last two years — only a third think they had been.


The reality is that, over the last two years, the quantum, variety and sophistication of cyber attacks have all increased exponentially. In our experience, over this time period most organizations have likely already been attacked — even though they may not know it yet. Many cyber attacks are not discovered for months and sometimes years. In one investigation of hackers who had gained access to customers’ online trading accounts at a global bank, EY found user access anomalies dating back more than 12 months before the identified hacking incident.

Personal devices are an open door to cyber criminals

As a clear example of the under-estimation of cyber risk, our 2017 survey identified personal mobile devices as a specific area where APAC organizations are vulnerable to cyber breaches through their employees.


Just under half (47%) of our respondents say their organizations have no policies against using personal devices for work-related activities. Almost half of our respondents (49%) admit to conducting business using their personal mobile device, even though their organization provided them with a work mobile device – and 36% do so frequently. Worryingly, these figures are even more prevalent with senior management, 53% of whom say they frequently conduct business using their personal mobile device.



Two-thirds (66%) of respondents agree that there are risks associated with using personal devices for work-related activities, but 53% of these respondents admit they do so anyway. This highlights the issue that, even when the risks are understood, without clear and consistent policies in place, employees will often demonstrate poor judgment.

“The sheer volume and the level of sophistication of cyber attacks we see today continues to expose even the most sophisticated organizations to potential breach. It is critical that employees understand this and are educated about their role in helping to defend against the wide range of threats their company faces.”


Warren Dunn, Partner, Forensic & Integrity Services, Australia

How safe are your critical assets from insider threat?

The financial, reputational and regulatory impact of having an organization’s critical assets stolen or damaged can be catastrophic. Anyone with trusted access can exploit the vulnerabilities that protect critical assets, causing millions of dollars of damage. To mitigate this risk, organizations should establish a program to protect their critical assets from insider threats.

Managing insider threat risk should be part of a comprehensive corporate security program, from both information security and physical security perspectives. However, insider threat poses unique information security challenges. For example, they:

  • Do not need to “break in” because they already have access and knowledge pertaining to the location of critical assets
  • Are within an organization’s confines, so their illicit activities are harder to detect via traditional signature-based detection than an external attacker

What is insider threat?

An insider threat is when a current or former employee, contractor or business partner, who has or had authorized access to an organization’s network systems, data or premises, uses that access to compromise the confidentiality, integrity or availability of the organization’s network systems, data or premises, whether or not out of malicious intent. Insider threats can include fraud, theft of intellectual property or trade secrets, unauthorized trading, espionage and IT infrastructure sabotage.

Do you have a comprehensive view of risk?

Our 2017 survey finds that many organizations in APAC have a fragmented view of and approach to cyber risk. In fact, companies need to treat cyber and insider threats in the same manner — as elements of an ever-present overarching risk — requiring a comprehensive and highly disciplined risk management approach. It doesn’t matter whether the threat comes from outside or inside the organization, if it is fueled by malicious intent or enabled by ignorance, the impact of an information breach can be financially and reputationally devastating.

Cyber breach response program — what does “good” look like?


Given the likelihood that all businesses will eventually face a cyber breach, it is critical that APAC organizations develop a strong, centralized response framework as part of their overall enterprise risk management strategy.


Have you considered…

  • Whether your breach response plan includes all the right functions: legal, compliance and public relations?
  • Whether your employees know whom to call when they suspect a cyber incident?
  • How incidents are escalated within your company, who must be told and when?
  • Whether your incident response team has segregated duties? Is the team purchasing antivirus technologies the same as the one investigating when those tools fail?
  • Whether you have contracts in place for situations where you need outside help due to the scale of the issue or the unique skills required?
  • Whether you have protocols for when you will notify law enforcement and regulators?
Back to top