Financial Services face cyber risk disconnect, says study

Recent research highlights a disconnect between cyber risk owners and employees in Financial Services regarding cyber security training.

e2e-assure, a Threat Detection and Response provider, recently conducted a study showing that a significant majority (82%) of cyber risk owners in the sector believe employees are engaged in the training offered. However, the majority (69%) of workers indicated they were either only "somewhat engaged" (55%) or "not engaged" (14%) in the training provided by their organisation.

As Financial Services undergo digital transformation, staff are exploring new tools to boost productivity. This has led to 76% of cyber risk owners expressing concerns about the use of AI within their organisations, with 25% being "very concerned" and 51% "somewhat concerned." Furthermore, 43% of cyber risk owners noted their biggest frustration with employees was the use of unauthorised software.

The research identifies a disconnect between confidence in AI policies and employee understanding. While 80% of cyber risk owners are confident in the AI policies they have implemented, 20% of employees revealed they are unaware of these policies, and 17% were uncertain about their existence.

Comparing this year's findings with data from 2023, there is an increase from 34% to 49% in the number of cyber risk owners prioritising resilience. Yet, a shift towards prioritising speed over resilience is noted, with speed being the top priority for 57% of the respondents. This focus on speed, while crucial, could potentially compromise resilience gains, leaving companies vulnerable to external threats.

In the event of cyber breaches, 43% of Financial Services employees face disciplinary actions, the highest across surveyed sectors. Despite confidence in training and AI policies, employees report the training lacks efficacy, with 69% expressing limited engagement.

Interestingly, 37% of employees have witnessed cyber security incidents, but only 14% reported these to IT. This reluctance to report may stem from concerns over disciplinary reactions, which could hinder speed and efficiency within companies.

The study also indicates potential oversights by cyber risk owners who are confident in their training programs. Employees are receiving less practical training, with only 39% engaging in real-life scenario training, despite 82% indicating they would prefer it.

Rob Demain, Founder and CEO at e2e-assure, commented: "Our research paints a picture of a sector that is overly focused on external threats, rather than fully understanding the risks from within such as employees being unaware of AI policies and therefore using unauthorised software that could jeopardise a company's security.

"This sector's reactive approach to cyber defence and employee training, perhaps understandable in an industry which prioritises speed due to high stakes, is having the unintended consequence of increasing cyber risk.

"Data attacks such as phishing are becoming more frequent in the Financial Services sector. To ensure future resilience, cyber risk owners must turn their attention to how to mitigate this risk through effective, tailored employee training."

The findings underscore the need for cyber risk owners to strengthen their resilience frameworks from the ground up, with recommendations including tailored training, fostering a security-aware culture, employing automation to reduce human error, and ensuring the right cyber security providers are engaged.