Willis Towers Watson carried out web-based surveys with 163 U.S. employers and with over 2,000 employees. A quarter of these employees work in a corporate IT function.
“Creating a culture of cybersecurity and building a cyber-savvy workforce is of key importance to effectively manage the people, capital and technology risks across every organization,” the company reported in its survey results. “Cybersecurity is a challenge and part of a journey toward mitigating risk involving human error and improving operating procedures.
To date, technological responses have led the way. However, growing recognition of the human element in cyber risk means that most companies that responded to the survey expect to focus more heavily on operating procedures and creating a more cyber-savvy workforce in the months and years to come.
And with good reason it would seem. Willis Towers Watson’s recent Cyber Claims Database shows that by far the largest proportion of cyber claims reported to insurers stems from employees’ actions, or collective inaction.
The concurrent employee view of the survey appears to offer some explanation for the claim statistics, by showing a disconnect between cyber awareness and accountability of the workforce and organization’s views of their preparedness.
Toward a Culture of Cybersecurity
While most companies feel they are on the right track in terms of data privacy and information security, many say they are looking to create a culture of cybersecurity in their organization. Most admit, however, to being currently on the lower rungs of the ladder to reach this goal, although they have aspirations to climb it quickly. Over half have no formally articulated cyber strategy now, but over 80% want to be in a position of having embedded cyber risk management within the company culture within three years
So, how will they get there? The unequivocal answer is by making more progress on improving business and operating processes and on addressing factors tied to human error or actions.
Business-related activities expected to figure prominently in companies’ plans include more stringent reviews of contractors and third-party suppliers and testing of emergency response plans. To offset risk, a large majority of companies are also reviewing or adding to their cyber insurance coverage as the available market has expanded, with the higher levels of activity seen in the U.S. so far reflecting the fact that American companies have historically bought more of this type of cover, compared to European companies that have tended to focus more on business interruption and continuity. Fifty four percent of U.S. companies have added to or enhanced cyber coverage in the last two years.
Two thirds of companies have also already taken steps to centralize data privacy and information security. Two thirds of companies have also already taken steps to centralize data privacy and information security. This may account for most companies believing they have or need appropriate levels of corporate support and clear lines of responsibility for data privacy and information security—leaving more to do on supporting processes and employee engagement.
Among the specific people-related actions that companies expect to take in the next couple of years, training programs for both employees and contract workers frequently top the agenda.
Does Employee Behavior Match Company Policy?
As companies adapt their cybersecurity approaches to more actively address people risks, they will of course need employees to step up to the plate and play their part.
Combining the results of our employee and employer surveys shows they have some work to do here, including doing more in some cases to create and maintain an environment in which employees are comfortable reporting data privacy and security incidents.
One dangerous but apparently common belief among employees is that the company’s IT and security systems are the ultimate protector. Even though a significant majority of companies feel they are doing what they need to in setting up and communicating robust protection systems, policies and processes, the message does not always resonate, judging by some current employee behaviors. Around 40% use a work computer or cellular device to access confidential company information and discuss work-related topics in public places. About 30% admit to logging in to a work device on an unsecured public network or using a work computer in public settings. Roughly 25% take confidential paper files home and use unapproved devices to do work at home. Some employee attitudes toward opening email attachments, changing passwords regularly and sharing personal information, such as employer name and job title, on social media sites may also leave companies more vulnerable, particularly to social engineering, where cyber criminals use impersonation techniques to trick employees into divulging confidential information or data.
Given these findings, there certainly seems to be a need to more closely assess the reasons why employees continue to engage in risk producing behaviors.
A root cause may be that nearly half of U.S. employees surveyed said they spent less than 30 minutes on data protection and information security training last year. Around 60% said they had only completed any training because it was a company requirement, although many claimed to have derived some knowledge and benefit from whatever they had done.
Such results inevitably lead to employees with different levels of understanding, accountability or engagement with cyber risk management. It may benefit companies, therefore, to segment their awareness training and other learning tools in order to refine an approach for different groups of employees/workers. For example, executive-level employees may need more training on confidential corporate information and use of company devices while traveling in foreign countries, while HR training may focus primarily on protection of employee data.
From the responses to a range of questions on the employee survey, we have defined four types of employees according to how they use technology at work or at home.
- Alert – those who protect personal information in daily life and are aware of information security at work.
- Comply – those who follow data/information protection policies at work but are careless on a personal level.
- Ignore – those who pay attention to protecting personal information, but who don’t act with the same care at work.
- Unconcerned – those whose technology usage patterns at home and work may lead to potential cyber risks.
The findings from our surveys signal a shift in cybersecurity strategies. Although companies still think there is more work to do on technological responses, most feel they are broadly on track and making progress in addressing potential weaknesses in their IT infrastructure.
Attention is now increasingly turning to the operational- and people-related risks that cyber claims experience shows leave companies exposed to cyber risk even with state-of-the-art technology strategies.
There is growing impetus behind the view that building effective cyber resilience has to have its roots within the organization culture and its people. Solutions are likely to be complex and multidimensional, as is always the case for any kind of cultural change. Certainly, companies may have to adapt their operations to the constantly changing nature of cyber threats. Nor should they ignore the expanding risk mitigation options available through the insurance market. But employers will increasingly look to foster a more cyber-savvy workforce, including the use of innovative employee engagement, talent management and reward strategies, to fortify their cyber security posture.
Copyright © 2004-2017 American Land Title Association. All rights reserved.
This article has been used and reprinted with the permission of The American Land Title Association. The material is for general information purposes only and is not to be relied upon or used for any particular purpose. Title Industry Assurance Company, RRG and The American Land Title Association shall not be held responsible in any way for, and specifically disclaims any liability arising out of or in any way connected to, reliance on or use of any of the information contained or referenced in this article. The information contained or referenced in this article is not intended to constitute and should not be considered legal or professional advice, nor shall it serve as a substitute for the recipient obtaining such advice.