Driving a cyber-savvy culture to combat cyber threats
Technological defense is often the main tactic applied in efforts to combat cyber risk. Although critical to an organization's cyber strategy, technology on its own is not enough to meet the challenges that today's hackers present. What is required in addition, is a focus on a major source of vulnerability that can allow hackers into the front doors of any business regardless of technological defenses — the human element, namely, the employees working daily in corporate systems. One misstep, even if accidental, by an employee working in a critical network can potentially facilitate a disastrous data breach.
Data related to cyberinsurance claims show that employee negligence or malicious acts accounted for two-thirds of cyber breaches; by contrast, only 18% of breaches were directly driven by an external threat. The data further showed that approximately 90% of all cyber claims are the result of some type of human error or behavior. The range of human action that can result in cyber breaches includes seemingly innocuous behaviors such as removing paper files from the office to use to work from home, logging into a public Wi-Fi to quickly download a key document and even discussing work-related topics in public. The simple truth is that a data breach is more likely to result from an employee leaving a laptop on a train than from a malicious criminal hack.
How can an organization target the human element effectively in efforts to drive the right employee behaviors? While at work, people's actions are driven by many influences, including what the company emphasizes in its communications, the policies and practices in place to direct work, what behaviors get rewarded, and the visible actions of important role models. Collectively, these influences describe “how work gets done here,” or what is called the culture of the organization. No two cultures are alike, as all face differing business conditions, and cultures are somewhat fluid, able to adapt to changing environmental needs or be shaped in ways that optimize work activity. An understanding of what cultural factors increase cyber risk from employee behavior would offer a blueprint for organizations seeking to mitigate threats from this human element.
Research findings point to three elements of culture associated with cyber risk. Specifically, organizations that have experienced data breaches are judged by their employees as falling short in efforts to promote a customer-centric environment, provide effective training for employees (especially newcomers in IT), and conduct business with high integrity, especially in interactions with third parties. From a cultural perspective, these findings suggest that cyber threat is exacerbated when organizations do not:
- Emphasize strongly enough that the customer is the center of the business, and that understanding and reacting to customer needs is essential to success; because behaviors related to handling customer information happen constantly in an organization, a customer-centric attitude can be a line of defense in mitigating cyber risk
- Deliver a learning environment in which new entrants are trained well in the basics of doing business, and new information is shared continually, especially among IT staffers; because the nature of cyber risk is ever-evolving, an organization that enables its people to constantly update their knowledge base is better equipped to react to threats in cyberspace
- Stress the importance of always conducting business the right way, avoiding shortcuts and acting responsibly, especially when working with third parties; because much business today involves passing information (even customer data) across multiple providers, the expectations set by corporate leadership to conduct business carefully and with high standards of integrity have to be part of the blueprint for defending against cyber threats
Cyber risk is a horizontal, enterprise-wide challenge that demands a collaborative response including input from IT, human resources, legal, operations, finance and risk management. The survey solution touches all corners of a work force and consequently brings to light challenges that involve many organizational constituencies. Taking action based on the findings likewise requires input and commitment across an organization.
Employee feedback is ultimately one part of a comprehensive cybersecurity strategy involving technological defenses, effective management of information security talent across an organization, and even risk transfer to cyberinsurance. In a recent survey of nearly 100 US firms by Willis Towers Watson, 85% of employers report cybersecurity as a top priority, even though 53% say they lack a formally articulated cyber strategy and 85% aspire to embed cyber risk management into their company culture over the next three years. A survey-driven approach to identifying challenges and gaps related to that goal would enable any organization to shape a cyber-savvy work force and ultimately reduce exposure to cyber risk.