Every organization must address the human element of cybersecurity.
Submitted by Willis Towers Watson, a partner organization of the M&A Leadership Council
Willis Towers Watson recently analyzed data from 225 cyber insurance claims it reported on behalf of clients in 2017. The resulting Reported Claims Index revealed that HR leaders must take an active role in cyber security: 58% of claims last year were directly attributable to employee negligence and/or malfeasance. Hacking accounted for 23% of claims, with some of those also traced to human error, such as a failure to install available security patches.
These results corroborate those of a June 2017 survey we conducted among US and UK employers. Survey respondents overwhelmingly identified the top cyber risk as “insufficient employee understanding of cyber risks.” Yet only 14% of UK employers and 8% of US employers said that they have embedded cyber risk management in their company culture. Other findings included the following:
- About 40% of employees use a cellular device or work computer to access confidential company information and discuss work-related topics in public places.
- Approximately 30% have used a work device in public settings or logged in using an unsecured public network.
- Around 25% of employees use unapproved devices to work at home or take home confidential paper files.
- Roughly 66% of employees change their passwords only when prompted, while about 33% will share personal information via social media sites.
- Nearly 50% of employees reported spending less than 30 minutes on data protection/information security in the previous year.
- Among employees who received comprehensive data protection/information security training, 77% believe it increased their sense of personal responsibility for cyber security in the workplace.
Thus addressing the human element of cybersecurity is a critical component of every organization’s cyber risk management. Organizations must allocate resources to employee training, along with talent strategies that address skill-related vulnerabilities. Building a “cyber savvy” workforce is a task that HR and IT leaders must share.
The May 2017 WannaCry ransomware attack is an apt example. It struck at least 100,000 organizations worldwide, including companies like FedEx, Nissan and Hitachi. WannaCry exploited a vulnerability in computers running Microsoft Windows, holding the computer’s data “hostage” until the operator paid a Bitcoin ransom. Employees played a central role in WannaCry’s rapid infiltration. First, failing to install the security patches provided by Microsoft left their devices vulnerable to attack. And second, clicking on phishing emails let WannaCry right in.
Implications for HR Due Diligence
Because cybersecurity is directly related to employee behavior, it must be addressed jointly by IT and HR leaders. During the due diligence process, the HR team should take ownership of evaluating the human-related elements of cyber risk management:
- Does the Target company have a “culture of cybersecurity”? Ideally, employees understand their role in protecting the company’s data and actively participate in cybersecurity measures.
- What kind of baseline cybersecurity training do employees receive? Cybersecurity training shouldn’t be a one-time undertaking reserved for new hires. It should be ongoing, to ensure that employees are up-to-date on the latest cybersecurity policies and procedures.
- Does the Target have the ability to detect and predict cybersecurity-related employee behavior? This ability helps to eliminate potential behavior-related vulnerabilities and should be a part of every organization’s overall cyber risk management strategy.
- How well does the Target maintain its IT-related talent pipeline? An understaffed IT department can result in both knowledge gaps and limited capacity for employee training. These issues can be addressed by either attracting new talent or by upgrading existing employees’ skills.
- Who is responsible for employees’ cyber risk awareness and protection? In most companies, this job falls solely to IT. More sophisticated organizations embrace collaboration among risk management, HR and IT departments.
Ultimately the role of HR leaders will continue to evolve as we better understand the human elements of cybersecurity. Their role in M&A due diligence will expand accordingly in the coming years, as technology and humans interact in novel ways.
If you’d like to learn more about due diligence for HR leaders, please join us in May for The Art of M&A for HR Leaders. This event brings together industry leaders from top firms like Willis Towers Watson, who share their real-world insights and lessons learned. Register online today.