The Biggest Threat in Cyber Risk is Your Employees

Date:   Thursday , February 09, 2017

Headquartered in London, Willis Towers Watson is the leading advisory, broking and solutions company. The unique solutions of the entity manage risk, optimize benefits, cultivate talent and expand the power of capital to protect and strengthen organizations from risks.

As technology is increasingly embedded into business processes, cyber-risk has grown, become more dynamic in virtually all industries. Beyond the financial, property and reputational damage cyber incidents can cause, they also can lead to regulatory scrutiny and litigation. The human element as a risk factor in data security breaches is as enduring as it is troubling. Compromised laptops and phishing email scams continue to appeal to hackers as avenues to damage corporate servers and the confidential, sensitive information they maintain. And, as quickly as organizations implement mitigation techniques, hackers develop new methods, putting enormous pressure on cyber-security functions to maintain effective, flexible risk management strategies that can respond to this ever-evolving source of vulnerability.

The Critical Role of People in Cyber-Security

An organization’s people must play a critical role in any cyber-strategy. Recently, Willis Towers Watson commissioned a survey of 306 risks; finance, human resources, information technology and operations decision makers to gain insight into their organizations’ cyber-risk priorities. Of those surveyed, 64 percent said that human capital and employee solutions are a very important focus for cyber loss control, and an additional 36 percent said they are a somewhat important focus. Looking ahead, 68 percent viewed human capital and employee solutions as a very important future focus for their organizations.

More than 70 percent of respondents said that losses related to employee-related cyber-risk is very important. Interestingly, those with roles in information technology and operations were more focused on employee solutions than other respondents were. It’s significant to note that among respondents in risk and finance, only 55 percent deemed human capital and employee solutions as a current very important focus. These findings highlight the need for organizations to focus more attention and resources on cyber-risk created by employees and on employees’ role in overall cyber-risk mitigation. Other research examines the risk created by employees and how IoT, BYOD policies and the changing face of the workforce have combined to accelerate that risk.

Finding Effective Solutions

How can organizations track the extent of risk inherent in their people’s behaviors and determine how to mitigate this factor? A significant part of the answer lies in understanding the workforce culture that shapes everyday behavior. An organization, and in particular its leaders, creates and reinforces a culture that influences every employee. This culture holds the shared values, norms, beliefs and assumptions that ultimately drive employees’ actions. The emphases within the culture can support or inhibit behaviors that mitigate risk. For example, a culture with a strong customer focus will create norms for prioritizing customer needs above other demands, encouraging extra effort when interacting with customers and handling their information internally. In a customer-centric culture, through thousands of individual employee decisions that take place over time, behaviors that help prevent data breaches will occur with more frequency than behaviors that create significant vulnerabilities.

A new analysis of employee survey results sourced from organizations that have experienced significant data breaches including the loss of business-critical, employee and consumer data further reinforces this position. By examining the cultural landscape in organizations experiencing data breaches, the critical human element comes into sharp focus. It’s no surprise that employee engagement attitudes of employees in the data breach organizations were consistently below those of employees in the high-performance group. Scores were lowest for three key aspects of culture:

Training: Questions on this topic included employees’ opinions about whether they received adequate training for the work they did and had access to training to improve their skills and learn new skills to advance in their roles.

Company Image: Questions in this area focused on corporate social responsibility, environmental responsibility, regard from customers, and integrity when dealing with external stakeholders.

Customer Focus: These questions tapped into employees’ overall sense of emphasis on the customer, responsiveness to customer needs, and proactive efforts to gather and act on customer feedback.

In short, employees in organizations that experienced data breaches said their organizations lacked a flourishing learning culture, high levels of integrity and a customer-centric culture. Addressing fundamental emphasis in workplace culture is a first step to creating an environment that supports a holistic, integrated risk mitigation strategy. In addition to emphasizing a customer-centric workplace culture, and developing and implementing employee incentive and training programs designed to foster cybersecurity, organizations should consider the following cyber-risk mitigation approach:

  • Ensure enterprise-wide governance is in place

  • Assume hackers are already inside

  • Consider technology one of several lines of defense

  • Insure for cyber-threats that cannot be mitigated

  • Allocate enough capital to the right cyber-defenses protect the organization’s crown jewels!