October is National Cybersecurity Awareness Month here in the U.S. It’s also European Cyber Security Month (ECSM), a campaign designed to raise cyber security awareness and encourage users to improve their online hygiene. As I scan headlines after the large breaches that have occurred over the last six months, I continue to reflect on how a company’s internal employees continue to be a key vulnerability. Willis Towers Watson claims data confirms the people component quite clearly.
Technology alone will never be the sole protection. While most companies feel they’re on the right track in terms of data privacy and information security, many say they’re looking to create a culture of cyber-savviness in their organization. Most admit, however, to being currently on the lower rungs of the ladder to reach this goal, although they have aspirations to climb it quickly. Our 2017 Cyber Risk Survey found that while over half have no formally articulated cyber strategy now, over 80% want to be in a position of having embedded cyber risk management within the company culture within three years.
So how do you build a cyber-savvy culture?
1. Increase the level and regularity of employee awareness training in your organization. It’s important that employees are trained to understand and respond to cyber threats, such as reviewing emails closely to ensure they’re from trusted and known senders before clicking on links. A cyber-savvy workforce holds the key to your enterprise resiliency.
2. Consider innovative ways to deliver employee awareness training. Most employees have a large and increasing training load covering topics from diversity to regulation. Given our survey finding of the low level of understanding of cyber risks, firms may want to use ‘learn by doing’ training approaches that will help to embed understanding over a longer term. There are several ways to achieve this – without risking the firm’s IT infrastructure – including novel approaches such as gamification and ‘cyber ambassadors’ (employees who champion cybersecurity).
3. Assess whether your organization’s IT department has the right or sufficient talent and skills needed in today’s environment to effectively handle emerging threats.
4. Evaluate whether your culture is supportive of cyber awareness and action-oriented behaviors. For example, do leaders model positive behaviors that encourage employees to do the same and do employees truly know how to report a cyber incident?
For more details on building your employees’ cyber IQ, read Empowered employees: The frontline against cyber threats.
Learn more about comprehensive cybersecurity from Willis Towers Watson.
John Bremen is the Managing Director of Human Capital & Benefits, North America, at Willis Towers Watson.