Mitigating cyber risk from employees is business critical

Cyber awareness is a cultural issue which is best addressed by comprehensive training – and that’s where HR comes in, says Matt Palmer

Recent headlines about data breaches, stolen assets and network outages reflect the very real threat of cyber risk, with news of Marriott and Quora's data breaches affecting a combined 600 million users and a further 3 billion users being a victim of Yahoo's massive breach in 2016.

The increasing sophistication of cyber attacks requires organisations to implement a robust cyber security strategy. While IT security was prioritised by organisations due to tougher legislation, they must take a tougher stance and review the adequacy of their cyber-security strategies.

Cyber threats have evolved to become more sophisticated, often originating from state-sponsored groups or criminal networks who target individuals connected to businesses for valuable information. 

Looking at the scale of these attacks, it is now imperative that companies decode cyber risk and develop a fully integrated, comprehensive plan for managing people, capital and technology risks across their enterprise.

It is not commonly known that employee negligence and malicious acts, including lost laptops, the accidental disclosure of information and actions of rogue employees, cause two-thirds (66 per cent) of cyber breaches. By contrast, only 18 per cent of breaches are directly driven by external threats, according to a Willis Towers Watson Cyber Risk Survey

Organisations succeed when cyber risk awareness is embedded within their culture and employees form the first line of defence against cyber risk. But how can employers determine how to build a cyber-savvy workforce?

Our survey findings suggest that environments experiencing cyber breaches lack a focus on a strong company image fostered among employees to show commitment to social responsibility. The same environments also show a lack of comprehensive training to help employees understand their jobs, especially IT staffers.  

Company culture, employee opinion and behaviour 

Given employee negligence causes most cyber-related incidents, company culture should be considered when mitigating cyber risk. Employers need to measure the risk inherent in their employees’ behaviours and determine how to lessen the risk and build a cyber-smart workforce.

That means it’s important for employers to use all the tools available for breach prevention. And perhaps the most useful and least obvious assessment tool is a cyber risk culture survey that assesses an individual’s sense of responsibility and accountability for cybersecurity.

By having employees answer questions related to their awareness of cyber risks and their behaviour in response to threats, an employer can develop a profile of the groups most in need of attention.

With the right capabilities and data, organisations can also compare their outcomes to those of industry peers and high performers globally.

These insights will help senior leaders target high-risk employee groups and develop plans to bridge gaps in cyber risk education, as well as overall organisational support for cybersecurity.

Harnessing a cyber-savvy workforce 

Embedding an organisation’s culture with an emphasis on risk awareness is the first step towards creating a workplace environment that supports a holistic, integrated risk mitigation strategy, but further steps are also required.  

As employees will have different levels of awareness and knowledge of cyber risk, it is essential to tailor ongoing training initiatives to different employee groups.

Training components can take place online or in person and can involve self-paced learning or ‘learning-by-doing’. They key is that it must resonate, be personal and go beyond just another box-ticking exercise. 

The benefits of comprehensive training are clear. According to our research, 77 per cent of employees believe it increases their sense of personal responsibility for data security at work.

Furthermore, it is essential to assess skills gaps at regular intervals and determine how to best fill those gaps – either by hiring new talent or upgrading the skills of existing employees. Learning new skills also gives high-value employees a reason to stay with their organisation.

Act now towards a culture of cybersecurity – asses your internal risk culture, prioritise personalised training and rethink your skills strategies. Today’s cyber risk is complex and multi-dimensional and the solutions combating it should be too. Employers need to foster a more cyber-savvy workforce, including the use of innovative employee engagement, talent management and reward strategies, to fortify their cybersecurity posture.

Matt Palmer is senior director, cyber risk management at Willis Towers Watson