Nearly half (49%) of IT security incidents experienced by UK financial organisations during the pandemic were a result of employee actions, according to new research from Kaspersky. These findings come as the sector is under increasing pressure to comply with more stringent measures imposed by the FCA around operational and cyber resilience, which came into force in March 2022.
The survey[1], which canvassed the opinions of 200 IT decision-makers from the UK financial services sector, revealed that employees are one of the weakest links in the industry. This has increased since COVID-19, with remote working opening the door to the use of less secure home networks, and has been exacerbated by rising levels of bring-your-own-device policies.
Data shows the biggest risks posed by employees when it comes to IT security and data protection are ignoring company policies (16%), remote working (13%) and shadow IT (16%). The consequences of a lack of cybersecurity awareness also led to 44% of decision-makers fearing the impact of regulatory fines for non-compliance. In fact, seven in 10 (70%) respondents also agreed that increased regulations heighten the risk of non-compliance.
Despite the potential consequences of employees’ actions, only 37% of IT employees in financial services are regularly trained on security topics and procedures. The numbers are even lower in other departments, such as accounting and marketing – between 21% and 35% of respondents stated that less than half of employees are regularly trained, despite all employees having access to confidential business materials and online access.
Commenting on the research findings, Jean Lehmann, CEO, Cyber Capital HQ, said: “the convergence between the acceleration in digital transformation and increased regulations is incentivising the financial services sector to strengthen security and compliance safeguards. If security awareness among employees in all departments does not keep up pace, the risk of non-compliance is heightened. Cybersecurity awareness is an essential element to mitigate the very real threats due to a lack of compliance”.
In response to the increased risk of misjudged employee actions and acknowledging internal security shortcomings, 47% of those surveyed would like to work with an external partner for cybersecurity. More than half (58%) of respondents have already engaged external IT security service providers and services, including threat intelligence, and more than half (58%) use preventive tools and expertise internally to detect and analyse cyber threats.
“This research clearly shows that many employees in the financial sector lack basic awareness of cybersecurity and that there is room for improvement when it comes to training and putting theory into practice. Technology alone is not enough to ensure compliance and complete protection from threats. Education combined with technology and threat intelligence is key, as employees must understand possible attack vectors and the consequences of their own actions – just one wrong click on a malicious link in an email could open the door for cybercriminals to infiltrate an entire company network,” adds David Emm, principal security researcher at Kaspersky.
To find out more about the research and how to ensure your employees don’t derail operational changes and compliance, visit this link.
[1] Research conducted by Arlington Research on behalf of Kaspersky in January 2022. 200 IT decision-makers from the financial industry in the UK were surveyed, of whom, 78.6% were senior or middle management. More than half (54%) of the sample work in companies with 50-499 employees, while 46% are at organisations with more than 1,000 workers.