Companies that deal with data breaches or cyber attacks have employees who see the corporate culture lacking in key areas, Willis Towers Watson asserts in a new analysis.
It is not a new thing to assert that human error can lead to cyber breaches. But the report goes deeper, by arguing that companies can reduce cyber vulnerabilities by addressing employee perceptions and culture shortfalls. In other words, a little training and pay incentives can go a long way toward preventing or managing future cyber attacks.
“To more effectively manage cyber risk, organizations need to better understand how the various elements of their workforce culture shape their employees’ behavior and, ultimately, either reduce or drive their exposure to cyber risk,” Adeola Adele, employee practices liability product and cyber thought leader of Willis Towers Watson’s FINEX North America practice said in prepared remarks.
Researchers found in their survey of more than 450,000 employees that employees at companies with data breaches scored training, customer focus and company image significantly lower than other “high-performance” businesses without those issues. What’s more, IT workers at companies with data breach companies also had poor views of training, and scored “especially low” on how they viewed training of new employees.
Willis Towers Watson said that this means that new staff represent “a blind spot and potential serious source of cyber risk if not effectively trained in processes and procedures.”
Beyond new hires, sufficient pay also presented a cyber risk problem. Willis Towers Watson said that IT workers in data breach companies saw themselves as not being paid properly or rewarded for the efforts they put into their jobs. The argument here is that employees who don’t feel well compensated could harm efforts to spot and manage cyber risk.
A lack of customer focus also seems to hurt in the battle against cyber attacks. The report found that employees at companies with data breaches saw customer focus to be lacking. This dynamic hurts risk management, the report said, “as it could set the stage for poor decision making and undermine the vigilance needed to counteract attempts to steal online customer information.”
So how can companies address their corporate culture and reduce cyber attack risks in the process? Willis Towers Watson offers several recommendations. They include:
- Create a company-wide cyber strategy that involves multiple departments including IT, H, legal, operations and finance staff.
- Managers should also invest in “comprehensive training” that includes rewards and incentives that helps develop a cyber-security savvy work culture.
- Technology matters, but it is not sufficient to just improve technological defenses. That said, money should be allocated to adequately cover for the right cyber defenses.
- With risk management strategies in place, companies should subscribe to insurance that addresses any cyber threats they can’t stop or reduce themselves.
Willis Towers Watson’s study is called “The Inside Threat: Why employee behavior and opinions impact cyber risk.” To complete it, the advisory, broking and risk management company analyzed survey results from 12 organizations that looked at employee engagement attitudes and opinions. Participating companies are based in North America, Europe and Asia Pacific and reflect sectors including technology, telecommunications, consumer products, manufacturing and utilities.
Benchmark data for comparison came from 28 “high-performance companies” with high favorability scores, and also global information technology staff from 400 companies.
Source: Willis Towers Watson