A survey of 200 employees and 75 leaders from organisations in the ANZ region has revealed a growing disconnect between lived experiences and expectations when it comes to cyber security.
Identity security firm KnowBe4’s new research report, ‘From Agentic Risk to Human Wins: Building a Culture of Security in the Era of Agentic AI,’ found that while business leaders expressed confidence in their cyber security status, one in four employees said they are too embarrassed to report security mistakes.
This is despite 56 per cent reporting that time pressure and other distractions were causing them to “knowingly make risky decisions”.
Dr Kawin Boonyapredee, CISO Advisor at KnowBe4, told Cyber Daily that organisations need to “create an environment where speaking up is easy and supported”.
“One insight from our research that stood out to me is just how wide the gap between leadership perception and employee reality is. On one hand, you have most leaders believing employees feel comfortable reporting mistakes, but then you have one in four employees admitting they sometimes still hold back due to embarrassment,” Dr Boonyapredee said.
“For business leaders, that points to a cultural challenge. If employees are concerned about blame or judgement, they will hesitate to speak up, and that silence creates risk that even the most advanced security controls cannot mitigate. It only takes one unreported mistake or one delayed escalation for an incident to become something much larger.
“Leaders should focus on fostering a culture where reporting is positioned as positive and routine behaviour. This means recognising early action, removing stigma around mistakes, and creating an environment where it's easy and natural to speak up and do the right thing.”
According to Dr Boonyapredee, staff training needs to evolve to match the changing threat landscape. Deepfakes in particular are emblematic of the disconnect between workers and their bosses. 88 per cent of leaders were confident their employees could identify deepfake content; however, 85 per cent of employees said that such content was too realistic to reliably spot it.
“When the vast majority of employees say deepfake content is difficult to distinguish from real conversations and acknowledge they could be fooled by a convincing impersonation, it’s clear that traditional, one-off training is no longer sufficient. Training must be continuous, practical, and grounded in real-world scenarios so employees can build confidence over time,” Dr Boonyapredee said.
“Organisations also need to prepare and design for the reality that people are often operating under pressure, and that’s where simple, in-the-moment support matters most. With 56 per cent of employees telling us that time pressure contributes to risk-taking and mistakes, even when they know the correct process, it’s clear that intuitive support is essential.
“By putting in place clear reporting pathways, prompts, and quick ways to verify suspicious activity, employees can make the secure choice easier to act on, even when they are busy or uncertain.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.