You don't have javascript enabled.

How to close the cybersecurity confidence gap when 78% admit to rule-breaking?

A staggering 78% of employees in professional services admit to breaching cybersecurity protocols, exposing a critical vulnerability in an industry already under siege from escalating cyber threats.

  • Marina Mouka
  • January 10, 2025
  • 4 minutes

The professional services sector faces an alarming disconnect in cybersecurity confidence between employees and those responsible for managing cyber risks. A recent report by e2e-assure sheds light on a critical issue: the sector’s overconfidence in its cyber defenses is leaving organizations vulnerable to evolving threats.

Professional Services, in particular, has emerged as the most targeted industry for cyberattacks, with 94% of cyber risk owners reporting that they had experienced an attack—an alarming rise from 77% just a year prior. Meanwhile, 88% of employees admitted to being victims of workplace cyber incidents.

Despite these stark realities, there is a troubling disparity in confidence levels. A staggering 92% of cyber risk owners in the sector believe their organizations are secure, compared to only 15% of employees who share this sentiment. Furthermore, 78% of employees have witnessed colleagues breach cybersecurity protocols, yet only 6% believe that cybersecurity is a collective responsibility​.

AI: A Double-Edged Sword for Cybersecurity

Artificial intelligence (AI) is rapidly transforming the business landscape, but its adoption within Professional Services is fraught with risk. The report reveals that employees in this sector are the most frequent users of OpenAI tools, with 31% using them weekly and 26% monthly. However, this enthusiasm is coupled with a worrying lack of awareness—50% of employees admit they do not know their organization’s AI policies​.

Cyber risk owners recognize the dangers, with 82% expressing concerns about AI’s potential to introduce vulnerabilities. Yet, 88% are confident in their existing AI policies. This overconfidence, combined with employees’ ignorance of these policies, creates blind spots in cybersecurity defenses. Unmonitored AI usage could lead to unauthorized access, data breaches, and compromised client information.

Training: A Critical Missing Link

The report also highlights significant shortcomings in employee training. While 85% of cyber risk owners claim their workers are engaged in cybersecurity training, only 11% of employees describe themselves as “very engaged.” Even more concerning, 41% of employees stated they receive no training or disciplinary action after causing a cyber breach​.

This lack of engagement is compounded by ineffective training methods. More than 70% of employees indicated they would be more likely to participate in cybersecurity training if it focused on personal security or real-life scenarios.

The disconnect between cyber risk owners and employees, however, extends beyond training and technology. Leaders within the sector appear overconfident in their defenses, with 92% stating they feel their organizations are secure. This confidence starkly contrasts with employees’ firsthand experiences of policy breaches and insufficient training​.

The Professional Services sector is uniquely service-driven, with employees prioritizing client needs over security protocols. This client-centric mindset, while valuable, often leads to shortcuts and risky behavior, such as using unauthorized software to meet deadlines.

Bridging the Gap: Recommendations for Resilience

To address these challenges, the report offers actionable recommendations:

  1. Improved Communication: Cybersecurity policies must be communicated in clear, relatable terms, fostering collaboration between employees and security teams. Real-life examples and scenario-based training can help bridge the gap in understanding.
  2. Policy Engagement: Involving employees in the development of cybersecurity policies can reduce friction and improve adherence. This is particularly important in a sector with high AI adoption, where policies must balance innovation with risk mitigation.
  3. Stakeholder Buy-In: Team managers play a crucial role in fostering a culture of shared responsibility. By embedding cybersecurity into day-to-day operations, they can ensure it becomes a core component of organizational culture.
  4. Automation: Leveraging automated detection and response systems can mitigate human error and enhance resilience. However, these systems must be paired with regular testing and clear alert protocols to avoid friction between security teams and employees​.
  5. Choosing the Right Providers: Organizations must partner with Managed Threat Detection and Response (MTDR) providers that offer tailored solutions, technological autonomy, and flexible agreements. These partnerships can provide an essential safety net for inevitable moments of human error​.