New research by Threat Detection and Response provider, e2e-assure, has revealed an alarming disconnect between cyber-risk owners and employees within Financial Services, when it comes to cybersecurity training.

Cyber-risk owners

• 82% of cyber-risk owners in the sector have stated that they are confident their employees are engaged in the training they offer
• 69% of workers said that they are either ‘somewhat engaged’ at 55% or 14% saying that they are ‘not engaged’ in the training provided by their organisation

As the sector undergoes digital transformation and operational efficiencies are increasingly pushed for, staff are experimenting with new tooling to increase their productivity.

As a result, most cyber risk owners:

• 76% of all workers are feeling either ‘very concerned’ at 25% or ‘somewhat concerned’ at 51%, about the use of AI within their organisation
• Over one in four cyber-risk owners at 43% said their biggest frustration with employees was the use of unauthorised software
• Although most cyber-risk owners (80%) are confident in the AI polices they have introduced, there is a clear disconnect between the confidence in these policies and employee understanding
• One in five (20%) of employees stated their company has policies, but admitted they don’t know what they are and 17% have no idea whether their company has them

Comparing this year’s findings to e2e-assure’s 2023 research:

Although 49% of cyber-risk owners in Financial Services say resilience is at the top of their agenda this year, up from 34%, speed is now the top priority for the majority (57%).

This focus on speed over resilience, could suggest that the sector has a closer eye on external threats, jeopardising previous resilience gains if left unchecked. 

Cyber-attacks

• The research showed that when cyber-attacks happen, 43% of Financial Services employees receive a disciplinary and training if they cause a breach, the highest out of all the sectors surveyed
• Employees revealed the training they are receiving isn’t cutting through, with the vast majority (69%) either only ‘somewhat engaged’ (55%) or ‘not engaged’ (14%) in the training provided by their company
• 37% have witnessed cybersecurity incidents happen, only 14% have reported them to IT

Compatibility with the sector

In a sector for which speed is the most important, this approach could ironically be slowing companies down with breaches being framed as individual failures and employees afraid to report cyber-malpractice due to a reactive focus on disciplinaries.  

The data also highlights how cyber-risk owners’ confidence in training programmes may be causing them to overlook gaps in the process.

The research revealed employees are not receiving the style of training that resonates with them.

Employees in this sector are less likely to receive real-life scenario training (39%), despite a huge majority (82%) of workers stating they would be more engaged if they did.

“Ensure future resilience”

Rob Demain, Founder and CEO, e2e-assure commented: “Our research paints a picture of a sector that is overly focused on external threats, rather than fully understanding the risks from within such as employees being unaware of AI policies and therefore using unauthorised software that could jeopardise a company’s security. 

“This sector’s reactive approach to cyber-defence and employee training, perhaps understandable in an industry which prioritises speed due to high stakes, is having the unintended consequence of increasing cyber-risk.”

Demain added: “Data attacks such as phishing are becoming more frequent in the Financial Services sector.

“To ensure future resilience, cyber-risk owners must turn their attention to how to mitigate this risk through effective, tailored employee training.”

Four recommendations

The findings show it’s vital for cyber-risk owners to start looking at their resilience picture from the ground up, with four key recommendations emerging:

1. Tailor training to engage employees 
2. Create a security awareness culture 
3. Use automation to reduce human error 
4. Have the right provider in place

To read the full report visit this link.