More than half (51 per cent) of financial services workers say they are working longer hours with the introduction of working from home and hybrid working practices. This has led 22 per cent to state they feel there is a heightened likelihood of mistakes.
The research of 1002 financial sector employees was conducted by CybSafe, the provider of cloud-based software that reduces organisational risk by improving people’s security decisions and behaviours. It also found that 39 per cent of financial services sector employees are concerned about their employers monitoring their work, leading to increased pressure and feelings of lack of trust.
The number of cyber-attacks facing financial services continues to rise. According to CybSafe’s analysis of recent ICO data, the sector saw a 1.5 per cent increase in attacks in H2 of 2021 compared to H1. Despite the rising threat, the working landscape within financial services has undoubtedly changed forever. The Financial Services Skills Commission and KPMG found that 78 per cent of workers were able to do their job from home with relatively little disruption. Furthermore, a survey from Deloitte discovered that three-quarters (76 per cent) of workers felt they were as productive, or more productive, working from home.
With increased flexibility has come increased oversight and surveillance, with 60 per cent of people reporting being subject to some form of technological surveillance, according to TUC in February 2022.
Commenting on this trend, Oz Alashe MBE, CEO Of CybSafe, said: “Flexible working has given people a new sense of control and balance within their working lives. But the lack of in-person oversight in such a short time has made many organisations nervous. While this reaction is perhaps understandable, they must be careful.
“Surveillance can often lead to an atmosphere of expectation and blame that discourages employees from flagging potential issues or concerns. Similarly, if employees are punished or reprimanded for genuine cyber security mistakes, it can lead to a culture of silence, ultimately leading to the suppression of potentially costly errors.
“Adopting a culture wherein people are encouraged to flag concerns, ask for help, and develop their security practices without punishment will mean organisations are at a lower risk of being blindsided by the outcomes of an issue that wasn’t reported. An organisation’s people want to be part of the solution, and the onus is on their company to allow them to do that.”
Despite the increase in employer surveillance, CybSafe’s survey showed no indications people in the financial services sector were displaying worse security behaviours or doing the wrong thing during a breach. On the contrary:
- 64 per cent of workers say they are more aware of cyber threats since starting to work from home/hybrid.
- 80 per cent say they are confident in their ability to spot and navigate a cyber threat (with only 11 per cent saying they are not).
- 71 per cent agree they feel personally responsible for ensuring their organisation’s security.
Interestingly, when respondents were asked how they reacted the last time they received a phishing email, only 0.7 per cent said they interacted with it. On the other hand, sixty-four per cent said they reported the email to the IT department or their manager.
“These figures align with CybSafe’s recent analysis of ICO data which saw an eight per cent decrease in phishing overall. However, despite this positive sign, organisations are still at risk of increasingly complex attacks.
Commenting on the research, Oz Alashe MBE, continued, “There was a time where we thought cyber awareness training was both needed and essential. Recent research suggests, however, we must shift the conversation within the cyber security space. Just because a person knows how they should behave doesn’t mean that is how they will behave. For example, most – if not all – smokers know they shouldn’t smoke, but they still do. The same is true for cyber security. People know cyber security is important and how they should behave to be responsible. This doesn’t mean they will always act accordingly. It is simply human nature.
“Therefore, we need to shift the conversation away from awareness training and towards tackling specific security behaviours. Businesses should be able to understand and analyse what behaviours within their workforce are leading to security weaknesses and devise plans to tackle and alter them.”