Two-thirds of cyber breaches arise from internal threats, according to claim data released by Willis Towers Watson, a global advisory, broking and solutions company.
The data reveals that employee negligence or malicious acts account for two-thirds (66%) of cyber breaches, where only 18% were directly driven by an external threat, and cyber extortion accounted for just 2%.
The company warned that many organizations continue to focus on the technology aspect of cyber defence, which is crucial, but often at the expense of people-related risks, which represent the largest source of data breach claims.
Willis Towers Watson has launched a Cyber Risk Culture Survey solution. Comprising a cyber risk employee survey, it is the first of its kind in the marketplace and connects human capital and workplace culture to employer cyber risk vulnerability.
The solution addresses companies’ leading challenges relating to cyber risk, such as tracking the extent of risk inherent in their employee’s behaviors, determining ways to mitigate this factor, and ultimately building a cyber smart workforce.
Hamish Deery, Asia-Pacific head of Talent and Rewards for Willis Towers Watson said the data clearly shows that companies who have had cyber breaches have a different cultural profile.
He commented: “Their employees’ experience includes a relatively poor induction when joining the company. Especially in IT, this is a serious source of risk if new staff is not effectively trained to manage cyber risk.
“The inability to create an ongoing learning environment is also evident, including knowledge of how to circumvent hackers’ attempts to acquire confidential and sensitive data.
“Failing to sufficiently emphasize a customer focus, and appropriate incentive and training programs to support the management of cybersecurity are also evident in those companies who have had breaches. Understanding and addressing these workplace cultural elements is a first step to creating an environment that supports a holistic, integrated risk mitigation strategy.”
Risk transfer solution
“Companies are increasingly looking to purchase cyber insurance as a risk transfer solution,” says Willis Towers Watson Financial and Executive Risks specialist Tanya Stevenson.
“Those that are best able to articulate their cyber risk culture and their management of cyber risks, beyond their IT departments, are unsurprisingly in the strongest position for negotiations of cyber insurance quotations and coverage.”
The Cyber Risk Culture Survey solution has three different models, tailored to a company’s needs. The tool measures an organization’s cultural elements of cyber risk related to human capital awareness and frequency of supportive employee actions.
The survey results provide a clear picture of an organization’s internal risk culture, with a particular focus on where it might be most vulnerable to employee-driven cyber incidents. These results allow senior leadership to take decisive action to create solutions, including cultural changes, and talent and reward interventions, to mitigate cyber risk.