June 6, 2017 by Canadian Underwriter
Nearly three-quarters (73%) of businesses in the United States believe that their organizations are highly protected from attempts by outsiders to gain access to their systems and data, but “low cyber IQ” among employees poses a threat, according to a new survey by global advisory, broking and solutions company Willis Towers Watson (WTW).
The findings, from WTW’s Cyber Pulse Survey, also found a similar proportion of organizations (79%) maintain that they have the right processes in place to adequately respond to privacy and security threats. The survey, released on Tuesday, polled 92 companies from the U.S., representing 2,073 employees, with respondents covering risk management, finance, accounting, IT and human resources.
Overall, the survey found a majority of companies felt that they are adequately prepared for cyberattacks against their organizations, “despite the frequency and breadth of impact of cyberattacks across industries in recent years seemingly indicating the contrary,” WTW said in a press release. However, the survey also revealed the disparity between corporate feelings of preparedness and the increasing number of cybersecurity incidents could be a result of a lack of responsibility or accountability among employees, the human element of the cyber equation.
U.S. employees ranked insufficient understanding (79%) as the biggest barrier to their organization effectively managing its cyber risk. Nearly half (45%) spent 30 minutes or less on cybersecurity training in 2016, and a quarter (25%) received none at all, the release said.
More concerning for employers is the discovery that of the employees that did complete cyber training, 61% admitted they only completed it because it was required, and 46% believe opening any email on their work computer is safe, suggesting employees may not be engaged or feel the personal accountability necessary to drive long-term, sustainable behaviors.
“As the world has seen with the proliferation of phishing scams, most recently highlighted by the global WannaCry ransomware attack, the opening of just one suspicious email containing a harmful link or attachment can lead to a companywide event,” said Anthony Dagostino, head of global cyber risk with WTW. “However, there appears to be a disconnect between executive priorities around data protection and the need to invest in a cyber savvy workforce through training, incentives and talent management strategies.”
The survey also detailed additional barriers companies felt impacted their cyber preparedness and the degree to which corporations are providing cyber training to their employers. For example, more than 30% of employees surveyed have logged into their work-designated computer or mobile device over an unsecured public network (such as public Wi-Fi). As well, only a little more than half (52%) of the employers surveyed feel they have made progress addressing cybersecurity factors tied to human error and behaviors in the last three years.
“Hackers are exploiting the fact that while corporations are building walls of technology around their organizations and networks, by far the biggest threat to corporate digital security and privacy continues to come from employees within, often completely by accident,” said Dagostino. “A truly holistic cyber risk management strategy requires at its core a cyber savvy workforce; however, organizations first have to know where the vulnerabilities are in order to plug the gaps. Many organizations are facing talent deficiencies and skill shortages in their IT departments, which in turn are creating significant loopholes in their overall security measures.”
According to the survey respondents, costs associated with minimizing cyber risk will continue to rise as technology evolves and becomes more sophisticated. “This heavy emphasis on technology is crucial given the competing sophistication of cybercriminals, but also encouraging that human capital solutions and improvement of operating procedures will be a priority for nearly three-quarters of organizations in the next three years,” Dagostino said.