QBE research reveals cyber blind spots and generational habits shaping workplace risk

A new report from QBE Insurance, Click, breach, repeat, reveals that cyber risk in the workplace is shaped by employee behaviour, not just technology. The findings point to vulnerabilities driven by everyday habits, misplaced confidence, and a lack of shared responsibility.

The research uncovered a striking blind spot, nearly 60% of employees believe they’ve never made a cyber mistake at work. This overconfidence is reinforced by 86% of respondents saying they feel confident in spotting cyber threats, despite the reality that many breaches go unnoticed.

QBE’s Global Head of Cyber, Serene Davis, says this disconnect between perception and reality is a concern for organisations.

“While confidence can be valuable, overconfidence can create risk and delay recovery action. Many breaches aren’t immediately visible and attackers often wait, or pass stolen data to others who exploit it later,” Ms. Davis said.

Miro Dordevich, Head of Portfolio – Cyber for QBE New Zealand, builds on this disconnect, noting that perceptions are not always reality.

“Confidence without awareness is like leaving the front door open because you trust the neighbourhood. Just because a threat isn’t visible doesn’t mean it isn’t there. Cyber attackers thrive in the shadows,” he said.

Among the most surprising insights, Gen Z employees – often seen as the most digitally fluent – are more likely than older generations to dismiss security warnings (55%), delay critical software updates (46%), and reuse passwords across personal and work accounts (72%), contributing to a heightened risk profile. (See tables 1-3 for comparison).

“These cyber hygiene behaviours from our younger generations can open the door to cyber threat actors, who are increasingly relying on human error to exploit an organisation’s cyber security,” Ms Davis said.

“Younger generations are often juggling multiple devices, apps, and logins, and can be less tolerant of security measures that interrupt their workflow. This can increase the likelihood of human error, which is the leading cause of most cyber incidents.”

The research also revealed a gap between how employees view cyber responsibility and how organisations actually manage it. When asked who they would blame if a breach occurred, 31% of workers pointed to their IT department, far outpacing executives (13%), third-party providers (5%) and even hackers or cyber criminals (26%).

“In an effective cybersecurity culture, responsibility needs to be shared and understood across the organisation, from the front desk to the boardroom. Unfortunately, for too many businesses, cyber remains siloed as ‘an IT problem,’ leaving leaders underprepared to manage during a crisis and employees unsure where they stand,” added Ms Davis.

The report, Click, breach, repeat, is available for download on the QBE website.

The report coincides with the launch of QCyberProtect – QBE’s cyber insurance solution. QCyberProtect brings together QBE’s global expertise and local insights to deliver a solution tailored to the unique risks faced by New Zealand businesses. It’s designed to go beyond traditional insurance, offering a comprehensive approach that supports businesses before, during, and after a cyber event.

What sets this product apart is:

• Prevention-first tools and guidance
• Broad, clear cover for today’s risks
• Global knowledge tailored for NZ threats
• Ongoing support, including cyber specialists and recovery resources.

Table 1: How often do you dismiss a security warning on your device?

Table 2: How often do you use the same password (or slight variation), across work and personal accounts?

Table 3: Have you ever knowingly delayed or avoided a password change or major software update because it felt like a hassle?

For media enquiries, please contact:

Kim Strudwick
Senior Manager, Marketing & Communications
Phone: 027 546 6453
Email: [email protected]