In the Crosshairs of Hackers: the Human Element in Cyber Risk
By Christof Nelischer, Global Group Treasurer, Willis Towers Watson
As cyber-attacks continue to dominate the headlines, corporate treasurers prove to be prime targets. Given cyber criminals want access to other people’s money, it’s natural that the treasury function makes an obvious target.
The most intuitive cyber risk relating to treasury is the initiation of fraudulent payment through a myriad technical means such as phishing and social engineering attacks. Attackers are becoming ever more sophisticated - after all, it is believed that over 90% of cyber-attacks start with a phishing email, a malicious tactic that is becoming increasingly passable as everyday email. Last year, I found myself the recipient of a phishing email, and decided to initiate a review of cyber risks within Willis Towers Watson treasury. It turned out that my phishing email was not an isolated incident within the company, as my colleagues across finance who are involved with handling insurance premiums and claims also reported similar targeting.
Discussions of cyber risk sometimes focus on managing risk and trying to transfer and mitigate the downside. However, this approach does not properly take account of the root of the cyber problem: human behaviour. As technology has become a driver of business models, cyber risk has grown into a systemic threat to businesses. While critical to protecting the enterprise, technology is only one piece of the solution. Organisations need a fully integrated, comprehensive plan that emphasises people, capital and technology protections to effectively manage cyber risk across the enterprise and ensure resiliency.
As Treasurer of Willis Towers Watson I benefit from the know-how in our organisation, and our own cyber insurance claims data shows two-thirds of incidents are the direct result of employee behaviour – for example, negligence leading to lost devices and malicious and disgruntled insiders seeking to profit from corporate espionage. When analysing the other 33% of incidents, a large portion can ultimately be traced back to additional human factors, such as system errors and inadequate network security practices, all of which still involve human error. It is generally believed that, while the initial focus of managing cyber risk was (or is) on technology, the focus is beginning to shift towards employee behaviour and operating procedures. Our objective at Willis Towers Watson is to drive a culture that creates cyber-smart employees, while also identifying deficiencies in talent and taking steps to remediate these deficiencies. No longer is it solely the job of risk and IT departments to handle cyber risk. Companies need to understand the human element of cyber risk through assessing organisational culture, employee engagement and identifying talent and educational gaps to protect against cyber threats.
The starting point is people: Our own research shows that, whilst employers are more likely to perceive data privacy as a threat, employees are often less sensitive. At Willis Towers Watson, key staff undergo training on how to spot attacks aimed at them, including how to spot phishing emails, as well as to understand what tactics are used by cyber fraudsters. Such education has become a regular feature for our employees. Policies regarding user access, encryption of devices and password management were reviewed, reiterated and updated. One colleague later commented on another phishing email by saying that “they need to do better than this.”
We also are looking once again at systems, but I do not believe that IT solutions can be adopted and implemented in a vacuum. Again, research suggests that employees may be prone to relying on IT to take care of the matter. It is critical for people and technology to have a symbiotic relationship to ensure cyber risk strategy is connected to the business and not simply a superficial wall surrounding an organisation. Much can be achieved at the intersection of people and technology, which is the management of user access, especially to electronic banking systems. Very few banking transactions nowadays do not go through electronic portals, which put electronic banking into focus. Are we sure that all employees who have left the firm had their access to electronic banking platforms removed? Do we pay enough attention to those minor electronic banking platforms which we intend to phase out but are still active? Do we effectively track security tokens giving access to electronic banking systems?