Employees, not technology, are your business's first defence against cyber attack
Suzanne McAndrew, Managing Director, Talent & Rewards, Willis Towers Watson says just 18% of breaches driven directly by external threats.
High profile cyber-attacks have opened companies' eyes to the scale of cyber threat and are asking themselves how to protect their businesses. For many the knee-jerk reaction would be to look to technology to bolster defences. In-fact, businesses' front-line defence is closer than they think – it starts with their employees.
It's eye-opening that our data shows that two-thirds of cyber breaches are caused by employee negligence or malfeasance including losing laptops, the accidental disclosure of information or actions of rogue employees, compared with just 18% of breaches driven directly by external threats.
So, what will it take for employers to address rapidly evolving cyber threat and reduce their exposure? First, they need to fully appreciate the scope of the threat. Next, it's critical for them to understand the strategies and tools that can turn their biggest security vulnerability—employees—into their first line of defence.
Most employers say they have established and communicated effective policies and processes to manage the gamut of cybersecurity threats. And most employees indicate that they understand their company's policies regarding data privacy and information security in their jobs. But, in practice, employees often lack the awareness, responsibility and accountability required to thwart cyber threats, thus increasing the likelihood of them engaging in risky behaviours. For their part, many employers appear to lack visibility into employees' poor cyber habits, a clear sign that their cyber risk management strategies are falling short.
A good example of this is in employees' approach to data privacy and security. Employees often lack awareness of cybersecurity risks at a basic level. For example, a common and perilous belief among employees is that their organisations' central IT systems are their ultimate protection. This thinking leaves employers exposed to cyber risks.
Employees' risky behaviours can also leave their organisations vulnerable to social engineering attacks where cyber criminals can learn about employees' activities and profiles which then allows the criminals to convincingly manipulate employees into giving up confidential information or data.
Many employees lack the "cyber IQ" necessary to protect company and client information. So, how can employers improve employees' awareness, responsibility and accountability in matters related to cybersecurity? And how can they ensure that the right behaviors are sustained even as cyber threats evolve?
Workforce culture drives employee behaviour. Culture generally refers to the shared set of values, principles, assumptions and beliefs that influence how work gets done. Many employers indicate that they are looking to build a culture of cyber risk awareness in their organisations in order to promote employee behaviours that will lessen their vulnerability to cyber threats. Moreover, employers appear to recognise the urgency of this situation. While fewer than half have a formally articulated cyber strategy currently in place, over 80% of employers want to have cyber risk management embedded in their company culture within the next three years.
To build a cyber-savvy organisation, it is essential to create an ongoing learning environment that emphasises staying up-to-date with business trends and cyber threats. This equally applies outside the workplace with the growing threat of cyber-attacks through public WiFi networks (in a café, for example), exposing potentially sensitive information. Given the increased use of technology inside and outside the workplace, there is a pressing need for ongoing training to help employees identify and mitigate everyday cyber risks.
As well as ensuring current employees are well-trained and cyber savvy, it is important to ensure that businesses have an adequate talent pipeline. IT skills shortages in many companies can contribute to gaps in information security skills and by extension, in a company's ability to address the human element in cybersecurity. Therefore, it is essential to identify cyber skills gaps and to determine how those gaps will be bridged – i.e., either by hiring new talent or upgrading skills of existing employees. When hiring new information security talent, onboarding should cover cyber risk management processes and procedures, and should emphasize the role of employees in mitigating cyber threats.
Robust cyber risk management requires not only state-of-the-art technology solutions but also effective human capital programs. It takes a culture of cyber awareness, responsibility and accountability, an ongoing learning environment and forward-looking talent strategies to build and sustain employees' "cyber IQ." These cyber-savvy, empowered employees will serve as your most effective defence against cyber threats.