By Justin Reilly, CEO, Impero Software
Although cyber threats are common across all sectors, one of the most lucrative targets for security breaches is finance The financial sector is known for having a particularly rigorous security protocol, but inbound threats have responded by becoming ever more elaborate. Firms will need to remain vigilant to stay ahead of the curve, especially regarding the actions of employees and the security of their devices.
The risk of cyber-attacks in the financial sector is currently extremely high. Impero’s recent device security survey of over 400 financial services firms reported that one in three financial sector employees have been involved in at least one cybersecurity incident.
Threats of cyber-attacks are only set to rise. Therefore, firms must work with their employees to develop clear security protocol, as well as taking a proactive approach to adopting cyber safeguarding measures. The latter is especially important – firms cannot rely on technology alone and must also pay close attention to how employees access company systems and data.
Accessing sensitive systems and data
One of the largest risk factors over the last couple of years has been the rise in remote and hybrid working arrangements. Those employees less versed in cybersecurity may have assumed that the local coffee shop’s network was fine to use – but public Wi-Fi networks are often unsecured. Unfortunately, accessing company data over such networks has become common. The same is true for unsecured personal devices, with a quarter of those surveyed admitting to using them to access sensitive company data.
The question of standardisation is very much relevant here. Firstly, there is not always a company policy around the use of personal devices for work. Secondly, and perhaps more pressing in the long term – is the lack of general “cyber security at work” protocols in many organisations. For example, the survey found that 36% of financial services employees have not been given any kind of password manager and a further 31% do not have access to a virtual private network (VPN), a commonly recommended measure for users of unsecured networks and especially for financial industries.
The lack of protocol and cyber security infrastructure is causing considerable anxiety among employees in the sector. Almost half of those surveyed (45%) state that working from home or remotely has caused them to worry more about how secure their devices really are. Even though many portions of the sector are starting to become office-based again, remote working culture has made a profound impact and is highly likely to stay. Consequently, and with the threat of cyber breaches only on the rise, 26% of financial services employees are concerned that they may be involved in a security breach in the near future.
Improving the situation
Financial services staff are on the front lines of the battle for cybersecurity. If their concerns are to be properly addressed, they need adequate training and resources. Adequate training is a must in the age of remote work so that employees out of the office can run through a mental checklist of do’s and don’ts before they access any sensitive company systems and data. Our study found one in ten respondents lack confidence in identifying common cybersecurity threats. Although it may seem like a low figure, this is a concern given the significant risk involved when working in financial services. Just one mistake by one employee can lead to an incident with profound, far-reaching consequences.
The survey also revealed that over a quarter (26%) of employees believe their company’s training regime could be improved. This could take a variety of forms: in-person workshops, online sessions and asynchronous learning materials for example. The training would improve the remaining deficit on confidence among employees, enabling them to work anywhere safely and in the knowledge that they are not exposing the company to attacks.
Additionally, companies must provide employees with the necessary tools and infrastructure to work securely. VPNs are a great example of an inexpensive safeguarding method that can boost online security companywide. While 80% of the financial sector has access to VPN software, that still leaves two in ten firms that could benefit from the greater security offered. Adopting the technology would leave decision-makers with greater confidence in employees working remotely. But a VPN has little effect if few choose to use it. Therefore, decision makers must ensure that tools such as VPNs are not just available, but mandatory.
Managing personal devices
Companies should also consider that many employees will be using multiple devices to work. Over three in ten respondents claim to use between three and five devices at work, with some of these likely to be personal devices. Indeed, ‘Bring Your Own Device’ (BYOD) has grown popular amongst employees in recent years.
It is not enough for a company to simply have a security protocol for using personal devices at work – it must be enforced. This means clear instruction on what is or is not allowed or, and if the company permits the use of personal devices, ensuring that all relevant security software is pre-installed.
Regarding which devices are permissible and which are not, respondents were somewhat split. Just over of quarter (26%) stated that companies should not allow personal devices to be used for work-related activities. Companies must weigh up the potential security risks of a BYOD policy versus the benefits to employee experience it can bring.
Greater security, better employee experience
Given the anxieties surrounding cyber security threats, bolstering defences is not just about safeguarding systems and data, but also employees. Providing a clear set of policies and improving awareness will go a long way towards improving employees’ confidence in recognising and reporting common cyberthreats. This is not a trivial matter as far as retention is concerned – nearly half (45%) of employees in the financial sector would consider leaving their position if they or their company had been involved in a serious security breach.
All these measures are important because, although the financial services sector is undoubtedly well guarded against attacks, 90% of respondents still believe more can be done. If companies develop the right mix of cybersecurity knowledge, processes and technology, it will inevitably lead to a safe and more prosperous industry.