Room for improvement in financial services cybersecurity training

Sufficient cybersecurity training found to be crucial but some sectors treat it as more of a priority than others.

There were 2.39 million instances of cybercrime and 49,000 instances of fraud in the UK cyberspace from April 2022 to April 2023, according to UK government estimates. The figures show 32% of businesses recalled a breach, with the number much higher for large firms (69%).

A survey by cloud security company Indusface looked into whether businesses are carrying out sufficient cyber security training for employees, finding that employees in financial service were unprepared for attacks compared with those in a number of other sectors.

Some 73% percent of finance employers actively train employees in cyber security, while the number is significantly higher in utilities (96%), real estate (94%), and manufacturing (92%).

Overall, 67% of businesses invested in cybersecurity training, but only 58% actively trained employees.

Responses when asked – Do you train your employees in cyber security?
Illustration: Indusface

Despite this, only 25% of financial services businesses said they had suffered a cyber attack. A large percentage of attacks came in the form of email hacks. The UK government found that 89% of businesses had suffered a phishing attack in the last year to April.

Some vulnerabilities are a result of shifts in ways of working since the pandemic. The proportion of businesses restricting access to business-owned devices has fallen successively and substantially over the last four years.

Response when asked – Which parts of your business were targeted in the attack?
Graphic: Indusface

“While we found that email hacking is the most prevalent, the way it is carried out is very versatile. Phishing is a much talked about threat, however, bot attacks such as account-takeover and credential stuffing could also be used to hack emails and get access to email accounts,” Venky Sundar, Founder, Indusface, said. 

“The other method is when hackers exploit an SQL injection vulnerability on a table and extract all credentials through the vulnerability. In addition to training all employees on how to evade phishing attacks, organizations will also find it worthwhile to run regular security assessments and implement a WAAP solution to filter out malicious attacks right at the perimeter before the attacks hit the application servers.

“Finally, it is important to build defences in depth. [Particularly in the] SME space, security software needs to be constantly updated, and the acute shortage of talent and resources mean that SMEs run outdated security software products.”

The Indusface survey used in the piece involved 2,200 people in 18 sectors and was conducted in July.