With an average score of 10 out of a possible 18, respondents to the 2024 Financial Accountant cybersecurity quiz do still have work to do to get their cybersecurity practices up to standard.
However, performance has improved markedly on a number of metrics since we last asked these questions in 2023.
Last year, 46 per cent of firms offered no cybersecurity training to staff and just 34 per cent required an annual refresher. This year, 64 per cent of respondents said that everyone in their company completed cybersecurity training, 41 per cent annually.
Last year, almost one in four respondents told us they use a simple formation of their name or address as a password. Just under 40 per cent were following password best practice at that time.
This year, just 5 per cent said they use simple passwords based on names, addresses and so on – an excellent turnaround. There’s still room to improve: the stats around password reuse have not moved very much at all with only 38 per cent saying they never reuse passwords. Just 28 per cent are using password managers all or most of the time, and this should be much higher.
A good proportion of respondents have taken up multi-factor authentication in the past year, with the number who do not use these tools down from one in five to just one in 20 – again, an excellent improvement. Room to do better: the half of respondents who use SIM-based authentication may be vulnerable to SIM porting, and could shift to authenticator apps.
Good news on VPN use – the proportion of respondents saying they use a reliable and secure VPN has climbed 5 percentage points. The bad news is that overall, a smaller proportion of respondents are using VPNs now than were doing so 12 months ago.
Data encryption and handling practices have improved markedly. Half of respondents last year had not encrypted data, and this is now down to 41 per cent, and just over one in four respondents told us they had no documented data management policies. There is clear room for improvement here, but the needle is moving in the right direction.
This year we’re also seeing greater investment of attention, time and resources in cybersecurity – all respondents said their firms invest time in detecting malicious activity, while 8 per cent last year said they did not, while the proportion of respondents who said their firm had no cybersecurity policy has dropped from 42 per cent to 27 per cent.
Responses may not total 100% due to rounding.