Repairing the Weakest Link

A recent survey says employee actions are at the heart of most cybersecurity incidents reported to insurers.​

Comments Views

​A global cyberattack could cause an average of $53 billion in damages, according to a study by Lloyd's of London and risk-modeling firm Cyence. That might not be the scary part.

The scary part may be that the greatest point of vulnerability for businesses worldwide could be their own employees. Employee negligence and malfeasance are to blame for two-thirds of U.S. cyber insurance claims, Willis Towers Watson reports.

"Hackers are exploiting the fact that while corporations are building walls of technology around their organizations and their networks, by far the biggest threat to corporate digital security and privacy continues to come from the employees within, often completely by accident," says Anthony Dagostino, head of global cyber risk at Willis Towers Watson. The global risk management and advisory company recently released the results of U.K. and U.S. surveys of 163 employers and more than 2,000 employees that shed light on the human side of cyber risk.

According to the company's 2017 Cyber Risk Survey, 52 percent of U.S. companies and 40 percent of U.K. business respondents report they have made progress addressing vulnerabilities tied to human error or actions over the past three years. Respondents in both countries say they made far more strides to improve technology systems and infrastructure (76 percent in the U.S. and 75 percent in the U.K.). Fifty-eight percent of U.S. firms and 46 percent of U.K. companies say they have improved business and operating processes in the past three years.

Surveyed companies plan to shift to new priorities in the next three years. About three-fourths of U.K. and U.S. companies say they plan to address human factors leading to vulnerabilities. Seventy-two percent of U.S. companies and 69 percent of U.K. businesses say they will improve processes. About two-thirds of responding companies in both countries say they will focus on technology improvements.

The ultimate aim for 80 percent of respondents in both countries is to embed cyber risk management into the company culture within three years. Reaching that goal will require employers to overcome employee misconceptions about cybersecurity. "One dangerous but apparently common belief among employees is that the company's IT and security systems are the ultimate protector," the study points out.

Attempts at employee awareness aren't working. About 40 percent of respondents to the employee survey say they use a work computer or mobile device in public places to access confidential information, while nearly one-third say they have logged onto work devices through an unsecured public network or used a work computer in a public place.

Although those figures suggest negligence is the problem, another study shows some employees are willfully violating cybersecurity policies and controls. Employees actively sought ways to bypass security protocols in 95 percent of the 60 organizations that were assessed by Dtex Systems, according to the company's Insider Threat Intelligence Report. Assessors found corporate information in publicly accessible parts of the web in 64 percent of organizations; 87 percent of employees were using personal, web-based email on company devices.

Topping the agenda for employers responding to the Willis Towers Watson survey are training programs for employees and contract workers, particularly among U.K. businesses, "where the survey figures indicate there is some catching up to do relative to the U.S. on the people-related risks." For example, 60 percent of U.K. employers say employees don't understand cyber risks, compared to 34 percent of U.S. employers. "The difference in results also highlights the need for human resources and risk management functions to work more closely together on cyber risk mitigation strategies," the study notes.

Time spent on training is similar in both countries, with more than half of responding companies spending less than one hour annually on employee cybersecurity training. About one-fourth of companies aren't providing such training at all. Nearly 20 percent spend half a day or more on training.

While building a more cyber-aware workforce can help, organizations still need to know where they are vulnerable, the Willis Towers Watson survey points out. "As the world has seen with the proliferation of phishing scams," Dagostino says, "the opening of just one suspicious email containing a harmful link or attachment can lead to a companywide event."

Tim McCollum
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Tim McCollumTim McCollum<p>​​​​Tim McCollum is <em>Internal Auditor</em> magazine's associate managing editor.​​</p>


Comment on this article

comments powered by Disqus
  • Galvanize-September-2020-Premium-1
  • FSE-September-2020-Premium-2
  • Auditboard-September-2020-Premium-3