CyberArk (NASDAQ: CYBR), the global leader in identity security, today released the results of new employee research that reveals that many common employee data access behaviors are putting organisations at risk. It found that while Australian employees are generally more compliant with cybersecurity policies than other countries, more than 60% still admit to bypassing policies for convenience, and 33% use the same log in credentials for both personal and workplace applications and services.

The CyberArk 2024 Employee Risk Survey found that Australian employees are amongst the slowest globally at installing firmware updates or security patches on their personal or BYOD devices. This highlights the urgency for security teams to rethink how identity security controls are applied to their modern hybrid working and flexible access workforce.

In parallel, new research from CyberArk Labs, “White FAANG: Devouring Your Personal Data” has shown how the individual browsing and internet history of individual employees can present cyber issues for their employers, as well as to personal lives.

Thomas Fikentscher, Area Vice President for ANZ, CyberArk, commented “As Australian organisations continue to shift their workflows and workforces to the cloud, post authentication breaches will become even more common. Multi factor authentication does not offer sufficient protections against fraudulent activity and organisations should be taking active steps to reimagine their workforce identity security.”

Key findings of the survey include:

1. Most employees have access to sensitive business information: The report found that the majority of Australian employees (80%) access workplace applications – which often contain business-critical data – from personal devices that frequently lack adequate security controls. The survey confirms that privileged access is no longer confined to IT admins. 40% of respondents indicated they habitually download customer data; a third are able to alter critical or sensitive data; and a third can approve large financial transactions.
2. Password Reuse Is Common: The report confirms almost 49% of employees surveyed use the same login credentials for multiple work-related applications, while 33% use the same credentials for both personal and work applications. 41% of those surveyed have shared workplace-specific confidential information with outside parties. These practices significantly heighten the risk of security leaks and breaches.
3. Majority Bypass Cybersecurity Policies: 60% of employees often bypass cybersecurity policies to make their lives easier. Common workarounds include using one password across multiple accounts; using personal devices as WiFi hotspots; and forwarding corporate emails to personal accounts.
4. AI Adoption Creates More Security Challenges: The report also sheds light on the growing use of AI tools in the workplace. Over 66% of employees use AI tools, which can introduce new vulnerabilities when, for instance, sensitive data is inputted into them. Almost 25% of Australian employees admit to sometimes using AI tools that are unapproved or unmanaged by the organisation. Over a third (33%) of employees either ‘only sometimes’ or ‘never’ adhere to guidelines on handling sensitive information in their use of AI tools.

CyberArk Labs “White FAANG: Devouring Your Personal Data” research shows how the individual browsing and internet history of individual employees can present cyber issues for their employers, as well as to personal lives. Detailing how individual browsing history data – downloaded from technology giants like Apple and Meta – is easily stolen, it shows how an attacker might abuse this extensive information trove as, for example, an attack vector into employer organisations.

The combination of worrisome employee actions and attackers’ ability to steal and capitalise on browsing history and internet usage increases risk for organisations. By implementing a robust identity security program with dynamic privilege controls at every user checkpoint, security teams can prevent attackers from gaining access to sensitive and privileged information without adding unwanted friction into workplace processes.

“For far too long, the standard approach to workforce access security has been centered around basic controls like authentication via single sign on. This ignores the reality of the modern worker and the changing nature of identity: the average employee can be a casual workforce user and, the next moment, a privileged account,” said Matt Cohen, CEO at CyberArk. “These findings show that high-risk access is scattered throughout every job role and bad behaviors abound, creating serious security issues for organisations and highlighting the pressing need to reimagine workforce identity security by securing every user with the right level of privilege controls.”

The Workforce Report is based on a survey¹ of 14,003 employees working in all major types of job roles and vertical industries across the USA, UK, France, Germany, Australia and Singapore in October 2024, revealing insights into prevalent employee behaviors and data access patterns. It was conducted by Censuswide.