Cybersecurity

The biggest threat to your cybersecurity is hiding in plain sight

An employee of Europe's largest and newly opened integrated Cyber Defense and Security Operation Center (SOC) of Telekom Security, a business unit of Germany's telecommunications giant Deutsche Telekom AG, looks at his screen in Bonn October 26, 2017.    REUTERS/Wolfgang Rattay - RC11E9EF8070

It takes more than technology to turn employees into the first line of defence against cyber threats. Image: REUTERS/Wolfgang Rattay

Anthony Dagostino
Global Head of Cyber Risk, Willis Towers Watson
Suzanne McAndrew
Managing Director, Head of Talent Business, Willis Towers Watson

While organizations understandably make significant investments in technology to defend against external cyber threats, their biggest security vulnerability is internal and hiding in plain sight: their employees.

Willis Towers Watson’s cyber insurance claims data show that two thirds of cyber breaches are caused or enabled by employee negligence or malfeasance, including losing laptops, the accidental disclosure of information or actions of rogue employees. By contrast, only 18% are directly driven by an external threat.

Employees can be the strongest asset in an organization’s cyber security strategy. However, it takes more than technology solutions to turn them into your first line of defence against cyber threats.

This recognition is prompting a growing number of organizations to examine their internal culture and its role in encouraging behaviour that can lessen their vulnerability to cyber risk. Over 80% of organizations participating in the 2017 Willis Tower Watson Cyber Risk Survey indicated that they want to have cyber risk management embedded in their company culture within the next three years. But how will they get there when much of an organization’s risk culture lies beneath the surface?

The following steps can help organizations build a strong, cyber-savvy culture:

1) Assess your internal risk culture

To build a risk-averse culture, organizations must be able to measure the risk inherent in employee behaviour. Perhaps the most useful and least obvious assessment tool is a cyber risk culture survey – an employee survey that assesses an individual’s sense of responsibility and accountability for cyber security.

By having employees answer questions related to their awareness of cyber risks and their behaviour in response to threats (e.g. does an individual send important or confidential information by email using password protection?), an employer can develop a profile of the groups most in need of attention.

This type of assessment can also help reveal how well an organization and its leaders support a cyber risk culture. For example, the survey can measure employee perception of cyber risk training across key functional areas.

In addition, with the right capabilities and data, organizations can compare their outcomes to those of industry peers and high performers globally.

The resulting insights will help senior leaders target high-risk segments and develop plans to bridge gaps in cyber risk education as well as overall organizational support for cybersecurity.

2) Prioritise targeted training

Because employees will have different levels of awareness and knowledge of cyber risk, it is essential to tailor ongoing training initiatives to different employee groups.

Training components can include training delivered online or in person by an instructor, self-paced learning and “learning-by-doing” approaches – think simulations where employees have to respond to cyber threats such as phishing schemes.

The benefits of comprehensive training are clear: 77% of employees believe it increases their sense of personal responsibility for data security at work, according to the 2017 Willis Tower Watson Cyber Risk Survey.

3) Rethink your skills strategies

Given the information security skills shortages in many economies and evolving talent requirements, it is essential to assess skills gaps at regular intervals and determine how to best fill those gaps – either by hiring new talent or upgrading the skills of existing employees. An ongoing opportunity to learn new skills also gives high-value employees a reason to stay with their organization.

Given the information security skills shortages in many economies and evolving talent requirements, it is essential to assess skills gaps at regular intervals and determine how to best fill those gaps – either by hiring new talent or upgrading the skills of existing employees. An ongoing opportunity to learn new skills also gives high-value employees a reason to stay with their organization.

As information security plays an increasingly critical role in the organization, new talent challenges arise. For example, in some organizations, information security is “co-led” with the business. This shift creates a need for hybrid roles in cybersecurity requiring business acumen as well as technical skills. Keeping up with these changing roles can provide a competitive edge.

Cyber threats show no sign of easing any time soon. By assessing the threat, providing ongoing opportunities to learn, and developing forward-looking talent strategies, organizations can create a strong, cyber-smart culture to protect against cyber breaches.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Stay up to date:

Cybersecurity

Related topics:
CybersecurityEmerging TechnologiesJobs and the Future of WorkEducation and Skills
Share:
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

US introduces new data rules, and other cybersecurity news to know this month

Akshay Joshi

November 4, 2024

3 key factors to make your cybersecurity training a success

About us

Engage with us

  • Sign in
  • Partner with us
  • Become a member
  • Sign up for our press releases
  • Subscribe to our newsletters
  • Contact us

Quick links

Language editions

Privacy Policy & Terms of Service

Sitemap

© 2024 World Economic Forum