Organizations experiencing data breaches are judged by their employees as lacking a learning culture and failing to put the customer at the center of business activity, according to a new analysis from global advisory, broking and solutions company Willis Towers Watson.
To more closely examine the extent of cyberrisk inherent in employee behavior, Willis Towers Watson analyzed employee survey results, capturing employee opinions from over 450,000 employees corresponding to a period during which significant data breaches were identified within their firms. These results were then benchmarked against global high-performance companies and global information technology (IT) staff, drawing on its database of employee opinion survey data.
The results, published in a client alert titled “Inside Threat: Why Employee Behavior and Opinions Impact Cyber-Risk,” provide a snapshot of employee opinions within firms that have experienced cyber breaches and suggest a fundamental emphasis on workforce culture may be the first line of defense against cyber risk.
Key findings
As expected, there were significant gaps in favorable opinion scores between employees in data breach groups and each benchmark.
Compared to the high-performance group, employees at data breach companies report significantly lower scores in three areas of workforce culture:
- Training
- Company image
- Customer focus
Compared to the IT employee group, IT workers in data breach companies have less favorable views of training and score especially low on perceived training of new employees. The analysis points to new staff as a blind spot and potential serious source of cyber risk if not effectively trained in processes and procedures.
Compared to the IT employee group, pay for performance emerges as a challenge. The findings indicate that frontline IT staff in data breach companies perceive a misalignment between their efforts and associated rewards, potentially undermining efforts to identify and manage cyber risk.
Compared against both benchmarks, employees in data breach companies indicated a widespread lack of customer focus. This finding is significant from a risk management perspective, as it could set the stage for poor decision making and undermine the vigilance needed to counteract attempts to steal online customer information.
“These data are significant because they offer an inside view of workforce culture and for the first time reveal the vulnerabilities within companies experiencing cyber-breaches based on the ultimate insiders — their employees,” said Patrick Kulesa, global research director, Willis Towers Watson’s Research and Innovation Center.
“There is broad awareness of the human element as a risk factor in data security breaches. However, to more effectively manage cyber risk, organizations need to better understand how the various elements of their workforce culture shape their employees’ behavior and, ultimately, either reduce or drive their exposure to cyber risk,” said Adeola Adele, employment practices liability product and cyber-thought-leader of Willis Towers Watson’s FINEX North America practice.
To respond to the range of cyber risks stemming from inside threats, Willis Towers Watson experts suggest a series of prevention priorities for organizations, including:
- Focus on an enterprise-wide approach to setting cyber strategy, with collaboration across corporate functions including IT, HR, Legal, Operations and Finance.
- Invest in making the workforce cyber-smart through comprehensive training and a combination of rewards and disincentives to encourage a culture supportive of cybersecurity.
- Consider technology one of several lines of defense. While technological defenses are critical, they are not a sufficient response on their own.
- After risk management strategies are employed, companies can insure for cyber threats they cannot mitigate.
Source: Willis Towers Watson
Was this article valuable?
Here are more articles you may enjoy.