Decoding cyber risk

Hispanic technician using digital tablet in server room

Cybersecurity needs a new battle plan, a better plan that deals with the full spectrum of your company’s cybersecurity — not just your technology. More than half of all cyber incidents begin with employees, so it’s a people problem. And the average breach costs $4 million, so it’s a capital problem, too.

The answer is a fully integrated, comprehensive plan for managing people, capital technology risks across your enterprise. Any cybersecurity plan that does less can hardly be called security at all. And this is not just an exercise for big, budget-rich risk management departments. Large company data breaches may fill the headlines, but small and middle-sized companies are just as readily targeted. And the factors that make an organization more or less vulnerable are in many cases the same across the spectrum of company size. So where to start?


The first step is assessing the risk, and to do that you have to know where to look for it. Yes, you need to look at your firewall, your IT infrastructure and the processes for moving data back and forth within the organization and outside the organization among partners and customers. But our research reveals that most important place to look is at your people and company culture. Lower employee engagement at work is connected to higher incidence of cyber breaches. People who are less involved with their work and workplace may be less careful about when and where they click. So any cyber risk assessment has to take a broad look across the organization.

Perhaps the most useful and least obvious assessment tool is a cyber risk culture survey. A well designed survey can reveal aspects of company culture that are shown to impact the potential for cyber breaches. This kind of understanding is the first step in building a culture of engagement in cyber protection and creating a cybersmart workforce.

Some key numbers

  • 431 million new malware variants were added in just one year.
  • 69% of cyber insurance claims are related to employee-driven incidents.
  • 205 days lapse, on average, from when a breach occurs to when it’s discovered.

Another key aspect of assessment is determining how ready you are for a breach incident. An incident response workshop can give you an idea of what happens during an incident and how quickly you’ll recovery.

The assessment process is often helped by experts and/or expert tools that help point out the weak links in the data security chain. Predictive analytics can help you quantify your cyber risk exposure.


Cyber protection technology is in a constant race with cyber criminal methods and tools. Sometimes it seems that as fast as cyber walls go up, hackers will go under and around them. Efforts must be taken, and technology is the first defense.

The second layer of defense — and as we’ve said, possibly the most important, or the least understood — is your workforce. Your people need education and training in the protection tools your company provides and in the risks they run when they click open a link whose source may not be safe. In the long run, your organization will also want to address the cultural factors that can raise or reduce motivation for following security protocols and for keeping your company data safe.

To address the people risk you may want to look at few specific options:

  • Cybersecurity work readiness: Diagnostics can help you address the emerging skills and talent gaps in your workforce within the context of cybersecurity.
  • Talent management solutions for cyber vulnerabilities: Human capital experts can help you build, lead and engage a more cyber-savvy workforce.
Investigate the optimum balance points between cyber risk retention and risk transfer

And now the capital risk piece. Even the best-trained, best-engaged workforce will make mistakes that could open a cybersecurity door. Risk can be reduced but not eliminated. That leaves risk transfer products to protect the capital that can be put at risk in a cyber breach.

Cyber risk transfer strategies include several options:

  • Cyber insurance program development and placement: The marketplace offers coverage and a cyber risk partner can create bespoke risk-transfer programs that address a wide variety of cyber risks.
  • Captive reserve funding solutions: Investigate the optimum balance points between cyber risk retention and risk transfer, and identify how a captive could support that approach.


From the very instant a breach begins, the clock is ticking. Every second that passes has a cost — to your reputation, customer loyalty, business operations, liability costs and more. Your incident response plans should be developed with that understanding. You should be prepared to recover losses, conduct forensic analysis to learn what led to the breach and quickly develop new defensive solutions. Here are some keys to an effective recovery plan:

  • Incident response coordination: Be sure you have the proper resources aligned to coordinate and execute your incident response plans. Consider engaging an external resource with expertise in the details of a cyber breach.
  • Claims advocacy: Following an incident, be ready to bring in legal experts to guide you through the process of claims notification and recovery of losses to the full extent of your insurance policies.
  • Forensic accounting: Qualified public accountants, forensic accountants and fraud examiners can quantify your pre-incident exposure and post-incident losses in the event of a cyber incident.
  • Business continuity planning: You should work across your organizational silos to develop strategies that minimize business interruption and loss of capital in the wake of a cyber breach incident.

Cyber risk is evolving. Your ability to manage it should, too. It’s not just about fighting off hackers. It’s about your people. And it’s about millions of dollars (if not tens of millions) at stake with every breach. The best way to protect yourself from all that is a fully integrated, comprehensive solution that manages people, capital and technology risks across your enterprise.


Learn more about comprehensive cybersecurity from Willis Towers Watson.


Cyber decoded

Cyber assessment

Cyber protection

Cyber recovery

Creating a cybersmart workforce starts with culture

About Anthony Dagostino

Anthony V. Dagostino is head of Global Cyber Risk at Willis Towers Watson. He has extensive experience in cyber ris…
Categories: Cyber Risk | Tags: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *