Cybersecurity company KnowBe4 found in its latest research that poor training of employees could lead to corporate information leakage. The survey showed 24% are unsure whether the information they are working with is confidential or not.

If employees are clueless of the how information should be handled, there is a high probability that they share this data with someone outside of their networks.

KnowBe4 Research investigates the IT security culture of companies worldwide and carries out continuous surveys to see how companies and organizations handle IT security and training. The survey was carried out by KnowBe4 Research, the Norwegian research arm of the IT security company KnowBe4. A total of 408,929 respondents worldwide, including across the Asia Pacific took part in the survey, which was carried out in May 2021.

KnowBe4 finds work-from-home-related phishing email attacks on the rise

Employees are first line of defense against cyberattacks

“Managers have a responsibility to train their staff to treat the information they are working with in a good way. That as many as a quarter of employees are unsure about this indicates a considerable failing in many companies,” says Kai Roer, research director, KnowBe4.

It is obvious that should confidential information falls into the wrong hands, it could harm the company in a variety of ways. Some information could be market sensitive, some could impact the organization’s reputation or breach data privacy regulations, while leaked log-in information could give cybercriminals access to business-critical internal systems.

Sectors most at risk

The survey found that 34%-35% of employees are “unsure about the status of the information they are working with.” But the figures differ among the construction, education, transport, and retail sectors. In banking and finance, the proportion is at 16%.

“We also see the same tendency in the annual security culture report,” Roer said. “Sectors like banking and finance are, on the whole, more used to dealing with confidential information and probably have better routines and procedures for this. We see a clear link between the various aspects of security culture. The organizations that do well in one area, generally also do well in other areas. Unfortunately, IT security is equally important for everyone, regardless of the business sector. This has been demonstrated by a series of cyberattacks in Norway over the past year.”

Constant follow-up

KnowBe4 said that while there are organizations that include non-disclosure agreements, it should specify what can and cannot be shared, in their employees’ employment contracts.

“These figures indicate that the issue has generally not been properly explained to or followed up with employees,” Roer said. “When someone starts a new job, they are given access to a lot of information. It is the manager’s responsibility to follow up and ensure that their employees are confident in their role and know how to handle the information they encounter. It is equally important to ensure that employees handle confidential information correctly as time goes on. It is not enough just to provide training when people join the organization.”

KnowBe4 suggests that constant follow-up and training in the practice of IT security is needed to refresh employees’ awareness and keep them up to date with the latest developments.

“Cybercriminals are working constantly to develop more cunning methods of attack. In addition, things can happen within the company to change the situation, which employees must be made aware of,” Roer said.