Despite most (92%) of cyber risk owners in this sector being confident in their resilience, the majority (65%) of employees are only ‘somewhat confident’ vs ‘very confident’ (15%) when asked about how secure they felt their organisation was.
This comes as the majority (78%) of Professional Services employees admit they’ve seen a colleague breach cyber security best practice (the highest when compared to Healthcare, Manufacturing and Financial Services), with 88% saying they’ve personally been a victim of a cyber attack at work.
42% of cyber risk owners in Professional Services rely on vendors to provide Managed Threat Detection & Response, up from 40% last year. Yet so are the number of inbound cyber attacks against Professional Services organisations, from 77% to 90%. This raises the question; why are they failing?
The report finds the answer could lie with lack of employee responsibility. Worryingly, only 9% of employees are reporting colleagues to IT when they do witness them breaching cyber security protocol, and only 6% believe cyber security is the collective responsibility of the organisation, evidence of a lack of action taken in response to attacks when they do happen.
Professional Services is a sector where speed is paramount. The fact that employees are witnessing breaches but not responding, suggests they are more focused on client delivery than considering the associated risks and consequences of ignoring cyber security best practice.
Backing this up, only 11% of employees in this industry say they are ‘very engaged’ in cyber security training, suggesting that they don’t feel compelled, or simply do not have the time, to dig deeper and take action. This contrasts with the vast majority (85%) of cyber risk owners in Professional Services that say their workers are engaged in cyber security training.
This disconnect in confidence between cyber risk owners and employees is also apparent when it comes to new technologies. The rising adoption of AI is posing a real challenge for all sectors, with Professional Services being no exception. The sector has the highest employee usage of open AI compared with all the sectors surveyed – with over a third (31%) using it at least once a week.
Despite the fact that 88% of cyber risk owners in Professional Services are confident of the current AI policies in place at their organisation, almost a quarter (20%) of employees say they know that AI policies exist, but they have no idea what they are.
The report reveals that this combination of the highest use of AI, coupled with employees’ lack of awareness of current AI policies in place, could result in large difficulties for effective Detection & Response within Professional Services.
The data also highlights how cyber risk owners’ confidence in training programmes may be causing them to overlook knowledge gaps. The research revealed 70% of employees are more likely to engage in cyber security training if it is focussed on personal security (71%) and based on real-life scenarios (70%), which suggests cyber risk owners are not providing training that ladders up to these preferences.
Rob Demain, Founder and CEO at e2e-assure, said:
“Professional Services organisations are particularly at risk as they are often the gatekeepers to larger organisations – meaning supply chain attacks in this sector are rife.
“With so many employees disengaged in cyber security due to a focus on client delivery and efficiency, it’s imperative that cyber risk owners pay attention to building holistic resilience from the ground up through proper training.
“Cyber risk owners must meet employees where they are, seeking to understand their behaviour around AI usage and educating them about the risks. This will serve to embed the belief that cyber security is a collective responsibility, ultimately driving up cyber resilience.”
The findings show it’s vital for cyber risk owners to start looking at their resilience picture holistically, with four key recommendations emerging:
Tailor training to engage employees
Create a security awareness culture
Use automation to reduce human error
Have the right provider in place
