According to the IT Security: focus on the financial sector in Italy research conducted by Kaspersky, a quarter of Italian companies in the banking and financial sector suffered a breach caused voluntarily or involuntarily by employees during the pandemic.
Financial companies are considered a lucrative target by cybercriminals, both for the large flows of money recorded and the huge quantities of sensitive customer data and for the degree of digitization of the sector, which since the beginning of the pandemic, has had to manage the remote access for employees. The behavior and skills of employees with regard to IT risks are in fact a factor that should not be underestimated in the Italian financial sector. This is because employees often do not receive adequate IT training.
Employees: The entry point for attacks
13% of respondents consider employees unfamiliar with company security policies and practices to be their top threat, rising to 22% among small and medium-sized businesses, and declining to 8% among large enterprises. 7% indicate smart-working and remote workers as a potential risk and vulnerability. There is also a widespread awareness among respondents that the slightest inadvertent error can endanger entire segments of business systems.
Employees who ignore or don’t know company policies are considered as dangerous as a lack of dedicated IT security personnel (13%).
Regular training sessions are not yet widespread
Only 8% of the interviewees, on the other hand, affirm that outdated programs have been used as a gateway to access the corporate network. 10% report having suffered attacks through an external service provider or through a partner company. Whether it’s opening an attachment, clicking an infected link, or downloading unauthorized software, cybercriminals often target employees to find a way into the corporate network. On the other hand, although financial firms provide more information security training to IT staff than they offer to any other professional role, there is certainly a lot of room for improvement: regular employee training sessions are not yet widespread enough.
The security of the IT department
In companies with more than 1,000 employees, the areas with the highest number of staff regularly trained on cyber threats and cyber security behaviors belong to the IT department, followed by executives and analysts. Only a third of IT managers (33%) declare that 100% of the IT department undergoes regular training, while they estimate that on average two thirds of the total are regularly trained (67%). This percentage is also reflected among executives (64%) and other departments such as executive assistants (61%), marketing (56%), analysts and traders (62%) and accounting (59%). In general, therefore, only slightly more than half of the employees (54%-67%) attended training sessions dedicated to IT security.