Businesses urged to focus on company culture when managing cyber risk

Businesses should focus more on employees and company culture in efforts to manage cyber risk, Willis Towers Watson has said.

Organisations continue to focus on the technology aspect of cyber security, often at the expense of people risks, which represent the largest source of data breach claims.

The broker’s claim data shows that employee negligence or malicious acts account for 66% of cyber breaches, while only 18% were directly driven by an external threat and cyber extortion accounted for just 2%. Furthermore, around 90% of all cyber claims are the result of some type of human error or behaviour.

In response to these findings, Willis Towers Watson has launched a Cyber Risk Culture Survey solution. This innovative new tool, a cyber risk employee survey, is the first of its kind in the marketplace. The offering connects human capital and workplace culture to employer cyber risk vulnerability. The solution addresses companies’ leading challenges around cyber risk, such as tracking the extent of risk inherent in their people’s behaviours, determining ways to mitigate this factor and ultimately building a cyber smart workforce.

“Evidence suggests that many businesses are taking an overly technocratic approach to cyber risk and are in danger of missing the bigger picture,” said Anthony Dagostino, head of global cyber risk at Willis Towers Watson. “While technology has an important role to play, it really needs to be linked with an understanding of the human element. The simple truth is that a data compromise is more likely to come from an employee leaving a laptop on the train than from a malicious criminal hack. We believe employees and companies with a strong culture and cyber aware workforce are the first line of defence against cyber risk.”

Patrick Kulesa, director, employee survey research, added: “When we talk to clients about cyber risk, they tell us bridging their operational silos is one of the biggest hurdles within their organisations. Our offering is relevant to many audiences within the organisation – not only corporate risk managers, data security teams and human resource professionals, but the entire executive suite – all of whom are crucial links in the chain of cyber risk management and mitigation.”