Report: Careless Clicks: Cyber Attitudes in Financial Services
Insights from a UK financial services survey on confidence, clicks and everyday cyber habits
Length: 16 pages | Format: PDF
We all like to think that our teams wouldn’t click on suspicious-looking links or attachments. But the reality doesn’t always meet this expectation. Just one error of judgement can lead to entire IT systems being compromised by malware or ransomware, and high costs linked to operational disruption, damaged reputation and potential fines.
With hackers becoming more sophisticated and pervasive, we wanted to find out whether everyday bad practices are putting firms at risk of a cyber attack.
We surveyed 200 finance professionals in the UK to test their knowledge and awareness, and whether they receive regular training and advice on how to deal with the threat.
Highlights from the report:
85%
say they’re confident they could spot a cyber attack
59%
admit to clicking on a link or opening an attachment that could have been a phishing scam or cyber attack
37%
use weak or easy-to-guess passwords for work systems
42%
don’t receive regular cyber security training
What you'll learn
- How prevalent phishing and ransomware attempts are across finance, and where staff behaviours fall short
- Why confidence ≠ competence, and how to close that gap with regular, role‑relevant training
- Practical controls that work: self‑phishing, passphrases, 2FA, and scenario testing that sticks
- How culture and leadership turn policies into everyday action
What the report covers
Ideal for:
- CISOs, IT security and operational resilience leaders
- Compliance, conduct risk and culture teams
- Business unit heads in financial services responsible for staff behaviour and cyber readiness
What's inside:
- Survey data on attacks experienced, risky clicks and password practices.
- Interviews with cybersecurity and ex‑regulator experts on today’s threat patterns, including deepfakes.
- A “test your knowledge” phishing scenario and a concise action set for teams.
Why download:
- Save time: use the findings to target training where behaviours are weakest
- Improve accuracy: move from general awareness to task‑specific drills and reinforcement
- Boost engagement: short, scenario‑based activities staff actually remember
- Reduce risk: translate culture aims into measurable incident‑ready behaviour
Guest contributors to the report
Dr John Kingston
Senior Lecturer in Cybersecurity
Dr Kingston is a senior lecturer in cybersecurity at Nottingham Trent University, looks at how the rise of AI, including deep fakes, is heightening the cybersecurity risks, and what firms can do to protect themselves.
Katharine Leaman
Leaman Crellin CEO | Skillcast Advisory Board member
Katharine shares her expertise as CEO of Leaman Crellin and Skillcast Advisory Board member. She urges companies to recognise their compliance blindspots – and make training fun.
Scott Morris
StoneTurn Senior Advisor | Skillcast Advisory Board Member
Scott offers his insights as Senior Adviser at StoneTurn and Skillcast Advisory Board member, explores the changing face of cyber crime, and the disruption an attack can cause.
David Kenmir
Skillcast Advisory Board Chair | PwC INED FSA & Risk and Regulatory Partner
David adds his experience as Chair of Skillcast’s Advisory Board and INED (formerly Managing Director at the FSA and Risk, and Regulatory Partner at PwC). He looks at how firms can build a healthy level of scepticism within their teams.