Organizations experiencing data breaches are judged by their employees as lacking in two key areas of workforce culture: employee training and pay for performance.
This was among the key themes that emerged from Willis Towers Watson’s recent report Inside Threat: Why Employee Behavior and Opinions Impact Cyber-Risk, an analysis of over 450,000 employee opinions captured during a period of significant data breaches within their organizations. The data was then compared with opinions from employees of high-performing companies and global information technology (IT) staff.
The study is significant because while many have written about the human element evident in cyber breach claims (i.e., negligent or rogue employees) the Willis Towers Watson study aimed to answer a deeper question: how can organizations track the extent of cyber risk inherent in their employees’ behaviors and determine how to mitigate this factor?
Interestingly, the results reveal correlations between employee opinions and cyber breaches. And perhaps more importantly, the data suggests a significant part of the answer in helping organizations assess and minimize cyber risk lies in understanding the workforce culture that shapes everyday employee behavior.
According to the results, employees in the data breach companies gave their companies significantly lower scores in the area of training compared to the opinions from employees in high-performing companies. Questions on this topic included employees’ opinions about whether they have received adequate training for the work they do and if they have access to training to improve their skills and learn new skills to advance in their roles.
Compared to the IT employee group, IT workers in data breach companies also have less favorable views of training and doled out especially low scores related to perceived training of new employees. The analysis points to new staff as a “blind spot” and potential serious source of cyber-risk if not effectively trained on cybersecurity processes and procedures.
Pay for performance
According to the data, “pay for performance” also emerges as a challenge. For example, the findings indicate that frontline IT staff in companies that have experienced data breaches perceive a misalignment between their efforts and associated rewards, potentially undermining efforts to identify and manage cyber-risk.
Culture: The first line of defense
For organizations confronting cyber risk today, addressing a fundamental emphasis in workplace culture is the first step to creating an environment that supports a holistic, integrated risk mitigation strategy. After all, an organization and its leaders create and reinforce a culture that influences every employee. This culture holds the shared values, norms, beliefs and assumptions that ultimately drive employees’ actions. These behaviors, in turn, can either reduce or drive an organizations exposure to cyber risk.
Invest in making the workforce cyber-smart
In recognizing the correlation between employee opinions and cyber risk, and, when assessing how to allocate capital towards an effective cybersecurity program, organizations should consider prioritizing investment in enterprise-wide cyber-security training. Such an effort may challenge other capital allocation strategy norms, but a vigilant workforce is vital to resiliency. Not all training will deliver 100% perfection, but it can improve prevention.
Organizations should also think strategically about their human resource policies and compensation programs – offering a combination of rewards and incentives to encourage a culture supportive of cyber security.
This post was co-authored by Patrick Kulesa, Ph.D., based in New York. Patrick is a member of the advanced analytics group within Willis Towers Watson’s Research & Innovation Center, serving as global director of employee survey research. Patrick has 17 years of consulting experience and specializes in applying advanced statistical techniques to organizational data.