Brian Sims
Editor

Overconfidence in cyber security policies “could undo resilience gains”

Posted to News on Tuesday, December 17, 2024 Share:

NEW RESEARCH conducted by threat detection and response solutions provider e2e-assure reveals an alarming ‘disconnect’ between cyber risk owners and employees within the financial services sector when it comes to cyber security training.

Despite most (ie 82%) cyber risk owners in this sector being confident employees are engaged in the training they offer, the majority (69%) of workers said they’re either only ‘somewhat engaged’ (55%) or ‘not engaged’ (14%) in the training provided by their host organisation.

As the sector undergoes digital transformation, and operational efficiencies are increasingly pushed for, staff are experimenting with new tooling to increase their productivity. As a result, most cyber risk owners (76%) are feeling either ‘very concerned’ (25%) or ‘somewhat concerned’ (51%) about the use of Artificial Intelligence (AI) within their organisation. Over one in every four cyber risk owners (43%) said their biggest frustration with employees is the use of unauthorised software.

The research also found that, although most cyber risk owners (80%) are confident in the AI polices they’ve introduced, there’s a clear ‘disconnect’ between the confidence in these policies and employee understanding. One-in-five (20%) employees stated their company has policies, but admitted they don’t know what they are, while 17% have no idea whether their company has them.

Comparing this year’s findings to e2e-assure’s 2023 research, although 49% of cyber risk owners in the financial services sector say resilience is at the top of their agenda this year, which is up from 34%, speed is now the top priority for the majority (57%). This focus on speed over resilience could suggest that the sector now has a closer eye on external threats, jeopardising previous resilience gains if they’re left unchecked.

Disciplinary and training

The research has shown that, when cyber attacks happen, 43% of financial services sector employees receive a disciplinary and training if they cause a breach. Despite cyber risk owners’ confidence in training and the AI policies being rolled out, employees revealed the training they’re receiving isn’t cutting through, with the majority (69%) either only ‘somewhat engaged’ (55%) or ‘not engaged’ (14%) in the training provided by their company.

In addition, while 37% have witnessed cyber security incidents happen, only 14% have reported them to the IT Department. In a sector for which speed is of the utmost importance, this approach could be slowing companies down, with breaches being framed as individual failures and employees afraid to report cyber malpractice due to a reactive focus on disciplinaries.

The data also highlights how cyber risk owners’ confidence in training programmes may be causing them to overlook gaps in the process. The research reveals that employees are not receiving the style of training that resonates with them. Employees in this sector are less likely to receive real-life scenario training (39%), despite a huge majority (82%) of workers stating they would be more engaged if they did.

Focused on external threats

Rob Demain, founder and CEO at e2e-assure, said: “Our research paints a picture of a sector that’s overly focused on external threats rather than fully understanding the risks from within such as employees being unaware of AI policies and, as a result, using unauthorised software that could jeopardise a company’s security.”

Demain continued: “This sector’s reactive approach to cyber defence and employee training, perhaps understandable in an industry which prioritises speed due to high stakes, is having the unintended consequence of increasing cyber risk.”

Further, Demain affirmed: “Data attacks such as phishing are becoming more frequent in the financial services sector. To ensure future resilience, cyber risk owners must turn their attention towards how to mitigate this risk through effective and tailored employee training.”

The study findings show that it’s vital for cyber risk owners to begin looking at their resilience picture from the ground up, with four key recommendations emerging: tailor training to engage employees, create a security awareness culture, use automation to reduce human error and have the right provider in place.

*Download copies of ‘Financial Services: Cyber Resilience 2025’

Company Info

WBM

64 High Street, RH19 3DE
EAST GRINSTEAD
RH19 3DE
UNITED KINGDOM

03227 14

Related Topics
Business Resilience
Cyber Security
e2e-assure
Financial Sector
Risk Management
Training
Related Articles
Latest Webinars
Biometric access control: are fingerprint cards the future?
Biometric access control: are fingerprint cards the future?
Bandweaver signposts webinar on optical fiber for perimeter security
Video Surveillance: Exploring New Horizons
Perimeter Intruder Detection Solutions
Related Resources
Cyber risk facing UK “widely underestimated” warns head of NCSC
Security Matters Podcast – Episode 32 now live to view
Security Matters Podcast – Episode 31 now live to view
Latest News
SIA hosts security business leaders at Labour Exploitation Summit
Sharing of extremist material online results in eleven-year jail term
“UK should consider paying whistleblowers” observes Think Tank RUSI

Login / Sign up