Cyber Risk – Is it about people?
Introducing the Workforce Cyber Culture Assessment
Year on year global statistics1, as well as our own claims analysis, continue to attribute a high percentage of cyber incidents to human actions and behaviours. Our own cyber claims insights report2 shows that when human actions are considered, they account for an overwhelming majority of cyber security incidents. Cyber security is not merely an ‘IT problem’, its tentacles reach far and wide, and will likely influence a good majority of your business objectives.
Is Cyber a people risk?
The ‘employees are your weakest link’ message is one well used within the industry. Organisations are expected to spend more money on building and securing their ‘human firewall’, but where do you start? More training, more policies, more rules? The simple message is that humans can and always will make mistakes; 100% security does not and will never exist. Indeed, the reality is that the sooner organisations can appreciate that these mistakes will happen, the sooner they can take a measured and proportionate approach to managing risk. But even then, where should an organisation begin with building a security strategy that places the human at the very epicentre?
It starts with intelligence and communication. Can an organisation say with confidence that they understand the feelings, the attitudes, and behaviours of their employees in a cyber context? In building an effective and responsive cyber security strategy, an organisation must first look to understand the thoughts, opinions, and perceptions of their workforce. By identifying potential problem areas, engaging with your employees across all functions, levels, and seniorities, you can build from a position of knowledge and strength, armed with real-time insights and measurable metrics.
How our Workforce Cyber Culture Assessment (WCCA) can benefit your organisation
Willis Towers Watson understands the key role the workforce has to play in effectively protecting against cyber threats. As such, we are proud to have developed an assessment framework and methodology that focuses on People Risk and the impacts of Business Culture on organisational cyber security. Through the introduction of our Workforce Cyber Culture Assessment (WCCA) we are challenging existing cyber risk assessment methodologies, pushing the identification and analysis of cyber risk beyond just the technology environment.
The WCCA leverages traditional engagement methodologies to probe an employees’ awareness of cyber risk, their own attitudes, and behaviours as well as the emphasis that their organisation places (or not) on addressing cyber risk. By addressing which aspects of the workforce are working to increase (or decrease) the likelihood and frequency of a cyber incident, the WCCA will give company stakeholders a firm understanding of their cyber risk surface now. At its core, the WCCA provides a series of focused recommendations that assist in mitigating and managing cyber risk whilst supporting positive behavioural change, across all levels of the business, through the collection and interpretation of measurable metrics. Our analysis also considers the potential presence of any cyber-related Cognitive Biases and provides an assessment of how these may be contributing towards heightened cyber risk within the organisation.
When combined, the WCCA deliverables will provide clients with a tailored roadmap that assists in achieving reduced cyber risk, enhanced situational awareness of problem areas and a clear strategy for the effective allocation of resources to support business-wide security efforts.
Finally, it is possible that your people and your business culture may dictate how successful your cyber security strategies are in practice. By engaging your workforce and learning about the ‘person’, their attitudes, thoughts, and perceptions, only then can you begin to take steps to really understanding your cyber culture in detail. By gaining an awareness of human factors – alongside technology ones – it is from here that you can start to positively affect and change business norms, behaviours and, in turn, the culture within your organisation. Cyber security must be cognisant of and built around the people (and culture) of your business, not vice-versa, otherwise – and as we see time and time again – your people (and your culture) may be inadvertently and innocently leading to avoidable security incident situations within your organisation.
Read more of our favourite features from Modern Insurance Magazine here