Most cyber risks traced to employee actions
Employee negligence or malicious acts account for as many as 66% of corporate cyber breaches, notes recent research from Willis Towers Watson that sheds light on how HR professionals and other top executives can prevent these incidents.
A focus on the technology aspect of this issue can obscure “the business connection between how a company’s culture is managed and the risk of data breaches,” says Patrick Kulesa, director of employee survey research at Willis Towers Watson. While about 90% of all cyber claims were attributed to human error or behavior, for instance, just 18% were tied to an external threat and 2% to cyber extortion.
When examining a wide range of workplace issues at about a dozen companies where data were breached, the researchers found several troubling patterns. One was the presence of insufficient employee training, learning or development.
Within the context of cyber risk, he says it’s possible to “see why it would be a symptom of a larger problem or source of vulnerability if you’re not doing things from a basic training standpoint to help people understand their role in the organization and keep them up to date with network challenges and issues they face in their job every day.”
Another was the lack of customer focus. “There’s clearly some general cultural characteristics of companies that struggle with this — some of which reflect the way they manage the organization, and some of which are assuredly quite specific to the data and information security area,” Kulesa explains.
The Willis Towers Watson findings “appear to add empirical evidence to what IT experts have been saying for some time now,” says Eugene S. Griggs, partner at Poyner Spruill, LLP.
“When we talk to clients about cyber risk, they tell us bridging their operational silos is one of the biggest hurdles within their organizations,” according to Willis’ Kulesa. He says his firm’s cyber risk survey is relevant not only to HR professionals and corporate risk managers, but also to data security teams and the entire executive suite.
“The No. 1 message we’re trying to send is that cyber risk is a team sport,” he says. “It’s really a horizontal [issue] for organizations, meaning that they need a lot of their senior leaders to be on deck and involved with this issue, whether it’s HR combining with risk and compliance and legal, and chief information officers and chief information security officers.”
A cyber smart workforce
Willis Towers Watson has developed a cyber risk culture survey to help mitigate these risks en route to building “a cyber smart workforce.” The tool measures the cultural elements of these risks and frequency of supportive employee actions, as well as focus on vulnerabilities to employee-driven incidents.
These results can be used to create solutions, including cultural changes as well as talent and reward interventions. In fact, Kulesa says there’s a sense that various incentives in the environment could help prevent cyber breaches. For example, such steps may include encouraging employees to attend compliance training and understanding these processes as part of an organization’s approach to rewards. “There’s a lot to think about there in terms of access to data, who has it and who doesn’t, and the third party’s activities, as well,” he says.
Griggs also suggests a few key elements that industry producers can use with their employer clients to develop a strong cyber security strategy. They include screening and background checks for new personnel who will have access to sensitive data or control over systems, as well as an ongoing training and communications program to keep data security top of mind for every employee handling sensitive data.
Another important step is to “review insurance coverages to determine the extent of, and limits on, coverage in the event of a breach caused by the intentional or negligent act of an employee,” he adds.