Learn why GetApp is free

70% of Australian executives are vulnerable to rising cyberattacks: Discover the key defence - security awareness training

Published on 25/09/2024 Written by David Jani and Andrew Blair.

Senior executives in Australian companies manage critical business data, making them prime targets for cybercriminals. Without robust cybersecurity measures, these businesses are at a significant risk of data breaches.

Australian senior executives undergoing security awareness training against AI-generated deepfakes

More senior company executives are now targets for fraud, whether artificial intelligence (AI)- generated deep fakes, biometric security breaches, or ID fraud. This is a finding from GetApp’s 2024 Executive Cybersecurity survey*, which canvassed 2,648 IT and cybersecurity professionals across 11 countries, including 241 respondents from Australia. 

These kinds of attacks could run costs into millions, making it imperative to provide specialised cybersecurity training to all staff members, but especially to senior executives. To reinforce this, our study found that nearly half (49%) of Australian companies targeted by a cyberattack in the last 18 months prioritised training executives on security topics. 

Given the amount of data, company control, and money they have authority over, senior business executives offer a major prize to cyberattackers. Despite the urgency though, work pressure and time constraints can lead many leaders to skip cyberattack defence training. Is this a risk businesses can afford to take?

Key insights
  • 70% of Australian senior executives have been targeted at least once by a cyberattack in the last 18 months according to surveyed IT and cybersecurity professionals
  • 69% of respondents whose company’s senior executives were previously targeted say cyberattacks against senior members of staff have increased
  • 22% of attacks in the last 18 months used AI-assisted deepfakes to target senior executives, although the majority of attacks were caused by phishing or malware
  • 86% of IT and cybersecurity professionals agree that senior executives should receive more cybersecurity training than other employees
  • 28% of Australian respondents say their companies have no extra cybersecurity training for senior executives, despite the risks

Cyberattacks targeting Aussie senior executives have increased the most in global comparison 

The Office of the Australian Information Commissioner (OAIC) publishes by-yearly reports on notifications received under the Notifiable Data Breaches (NDB) scheme to track the leading sources of data breaches and highlight emerging issues and areas for regulated entities’ ongoing attention.

The key findings listed in the latest report (July to December 2023) mentioned that the authority received 483 notifications during this reporting period. This marks a 19% increase compared to the notifications earlier received in January to June 2023. Of which 44% of all data breaches resulted from cybersecurity incidents. [1]

Similarly, Capterra’s survey findings also report an increase in cyberattacks, but specifically aimed at Australian senior executives. In fact, Australian senior executives are among the most affected among all respondents in our global survey.

Seven out of ten (70%) IT and cybersecurity respondents report senior executives in their companies have been the target of at least one cyberattack in the last 18 months, which is also significantly above the global average of 63%. 

Senior executive targeting is also an increasing trend, with 69% of Australian respondents whose executives had been targeted by a cyberattack reporting that these attacks have risen over the last three years. Yet again, this is much higher than the 58% of global respondents who’ve witnessed a similar increase over recent years.

Donut chart showing most employees say Australian senior executives have become targets of cyberthreats in the last 18 months

Interestingly, in the same OAIC report, 30% of data breaches were sourced from human error marking a 36% increase compared to the 26% in the previous report (January to June 2023). [1] 

Minor mistakes can lead to major consequences in cybersecurity. A simple, easy-to-guess password can have major ramifications if it leads to a successful breach from a hacker. In our first article, analysing the survey data, we found that many businesses hit by cyberattacks retroactively focused on plugging gaps, such as weak passwords, software update regularity, or improving network security.

If a staff member slips up in any of these ways, it may pose significant issues for the business. However, this risk is accelerated further if the person being targeted is in a company leadership position. 

What are the most common types of cybersecurity incidents targeting Aussie senior executives and why? 

While cyberattackers often modify their techniques to exploit vulnerable senior executives, some common practices continue to prevail. Respondents in our survey whose companies had suffered an attack targeting senior executives say breaches were facilitated mainly by phishing and malware attacks.

Bar chart showing the most common ways cyberattackers target Australian senior executives

Making things even more perilous is the fact that cyberattackers are deploying newer, more sophisticated methods to attack companies that are not defending high-end data securely enough. Affecting 22% of Australian respondents in targeted companies, AI-assisted deepfake attacks top the charts. 

Many of these attacks occur because of careless mistakes made by senior executives. Our data found a disregard for sharing sensitive information over unsecured channels and neglect to update software and systems regularly. However, Australian respondents are slightly more diligent in the global comparison, knowing to use strong passwords and download files from trusted sources. 

Stacked bar chart showing the top actions by senior executives that led to a cyberattack in Australia compared to the global average

Which types of identity fraud are Australian senior executives most commonly subject to?

There is also an especially serious risk factor of identity fraud facing executives more generally. Nearly half (48%) of our Australian respondents are working in companies hit by at least one identity fraud incident affecting a senior executive over the last 18 months. Compared to the global average, Australian senior executives witness significantly higher risks for document fraud.  

Stacked bar chart showing which types of cyberattacks Australian senior executives are more susceptible to in global comparison

Senior executives not adhering to their company’s security protocols can pose major threats to the business, especially given the access they have to secured data. While business leaders may have the capacity to override certain cybersecurity safety features in cases of urgency, it is important to know the risks of taking such actions.

Avoid being marked as an easy target for cyberattacks

Unfortunately, being targeted successfully by a cyberattacker makes further attacks more likely, especially if the target is seen as high value. Cybercriminals may share details of those who were successfully breached or who ended up sharing personal data, which can lead others to breach your systems through the same vulnerabilities. That’s why it’s important to strengthen your cybersecurity measures to avoid attacks.

You can reduce the chances of unauthorised access with safety tools, such as multi-factor authentication (MFA), encryption, and identity management software.

Aussie employees expect senior executives to receive more cybersecurity training

We found that most (83%) Australian participants say they have cybersecurity training at least once a year or more. Our analysis unveiled that it is most common for senior executives to receive specialised cybersecurity training compared with other staff members. This is the case for 69% of Aussie senior executives compared to the global average of 57%. However, 28% of Aussie senior executives are not provided more enhanced training, putting them at significant risk.

That’s not to say there isn’t extensive training company-wide. We found amongst our sample that the majority have workplace coaching on subjects such as cybersecurity and data privacy. Whilst this is a good start, executives may need additional instructions to succeed against advanced cyberattacks. For example, they may need to be prepared for more advanced, individualised social engineering methods such as ‘whaling’ (highly nuanced attacks on high-value targets), which targets C-level executives specifically. 

In total, 86% of Australian respondents agree that senior executives need more frequent and specialised training than regular employees. However, in many companies, this is not happening despite senior executives' crucial role in a company's defence against cyberattacks. This is a greater concern as attacks attempting to exploit them are likely to differ from those directed at rank-and-file employees.

We focused on this factor in our survey to understand how well-prepared senior executives are to deal with potential cybersecurity threats. Overall, this is sufficiently addressed but some gaps remain.

Bar chart showing types of cybersecurity company training for Australian employees

Those in the sample with no extra training for executives say that C-level staff have justified this decision for a few reasons. The most selected response indicates that Australian senior executives already possess sufficient knowledge (43%) which is significantly higher than the global average of 30%.

Bar chart showing reasons why Australian companies don’t provide additional cybersecurity training for senior executives

Many who work in companies without extra training for their senior executives have confidence in their knowledge of cyber risks but there are reasons not to be too complacent. 

The danger posed by newer threats such as AI-generated deepfakes, identity fraud, or individualised social engineering attacks may require a rethink of this policy. It may now possibly be the case that ‘sufficient knowledge’ noted by participants might no longer be enough. This is why it’s especially important to ensure that senior executives are aware of the new and evolving cyberthreats and are able to identify the vulnerabilities to stay as up to date as possible.

4 ways to prepare senior executives for cybersecurity risks 

There is a desire from employees and, in fact, an imperative for senior executives to be trained on the specific cybersecurity dangers they face. We’ve already seen in our findings that they are likely to be targeted and that any mistakes on their part that undermine network security can be costly.

There are a number of new and developing threats that additional cybersecurity training can help prepare executives to face effectively. These include elements such as the following:

  1. Create awareness of current threats: Cyberthreats are evolving quickly, and senior executives need to stay current on the methods that can specifically target them. As discussed before, time constraints may affect executive-level cybersecurity training. However, businesses can also rely on security awareness training software to access courses and guidance that adapt to their busy schedules without needing a specialised course.
  2. Protect image and personal data: Executives represent a major target for social engineering attacks. A lot of information needed to impersonate an executive can be found online, either from company sources, local media, or their social network activities. Therefore, it is especially important to make executives aware of what they should and shouldn’t share online and to have them regularly review their information security.
  3. Conduct a risk assessment: Executives should feel empowered to make decisions but must also be aware of potential risks that may occur when carrying out certain activities, such as finalising high-value transactions that could be fraudulent. Understanding such risks enables businesses to prevent unwanted outcomes. These might include procedures to assess if a video call is a deepfake or having network monitoring implemented that can detect threats. Additionally, preventive steps can be initiated if an incident is noticed mid-attack, such as how to halt fraudulent transactions or recover lost funds, not to mention disaster recovery strategies if they do succeed. 
  4. Ensure personal devices and networks are secure: Company information should always be kept solely on company devices, and where possible, secure Wi-Fi networks should be used only, but in today’s interconnected world, this doesn’t always happen. Insecure apps or malware, however, can represent a big issue if they get onto company infrastructure, which is why it is important to educate executives to be especially wary of exposing their devices to these risks. Using a mobile device management system can help secure mobile hardware by providing monitoring capabilities and controlling use policy.
Looking for security awareness training software? Check out our catalogue!


Survey methodology

*GetApp's Executive Cybersecurity Survey was conducted in May 2024 among 2,648 respondents in the U.S. (n=238), Canada (n=235), Brazil (n=246), Mexico (n=238), the U.K. (n=254), France (n=235), Italy (n=233), Germany (n=243), Spain (n=243), Australia (n=241), and Japan (n=242). The goal of the study was to explore how IT and cybersecurity professionals are responding to the rising threat of biometric fraud. Respondents were screened for IT and cybersecurity roles at companies that use security software and have more than one employee. Respondents were screened for involvement in, or full awareness of, cybersecurity measures implemented at their company.

Sources

  1. Notifiable Data Breaches Report July to December 2023, Australian Government (OAIC)


This article may refer to products, programs or services that are not available in your country, or that may be restricted under the laws or regulations of your country. We suggest that you consult the software provider directly for information regarding product availability and compliance with local laws.

About the authors

David is a Content Analyst for the UK, providing key insights into tech, software and business trends for SMEs. Cardiff University graduate. He loves traveling, cooking and F1.

David is a Content Analyst for the UK, providing key insights into tech, software and business trends for SMEs. Cardiff University graduate. He loves traveling, cooking and F1.


Andrew is a Content Analyst for GetApp, giving SMEs insights into tech, software and business trends. Interest in entrepreneurship, furthering projects and startups.

Andrew is a Content Analyst for GetApp, giving SMEs insights into tech, software and business trends. Interest in entrepreneurship, furthering projects and startups.