Claim data released by Willis Towers Watson shows that two-thirds of cyber breaches arise from internal threats.
The data reveals that employee negligence or malicious acts account for two-thirds (66%) of cyber breaches, where only 18% were directly driven by an external threat, and cyber extortion accounted for just 2%.
Cyber security can no longer legitimately be considered the domain of IT alone, according to the MinterEllison Perspectives on Cyber Risk Report 2017 released this week – yet the Report’s findings show that Australian companies are being too slow to take the necessary action to mitigate and manage that risk.
The report highlights the prediction that, by 2021, cyber crime is expected to cost the world in excess of $6 trillion annually.
Willis Towers Watson warned that many organisations continue to focus on the technology aspect of cyber defence, which is crucial, but often at the expense of people-related risks, which represent the largest source of data breach claims.
Willis Towers Watson Financial and Executive Risks specialist Tanya Stevenson said cyber risk is one of the top-rated business risks faced by Australian companies. Stevenson commented: “With the recent introduction of a mandatory notification regime for privacy breaches, combined with an increased regulatory focus on the cyber resilience of Australian businesses, it is vital that companies understand their cyber risks.”
She added: “Companies are increasingly looking to purchase cyber insurance as a risk transfer solution. Those that are best able to articulate their cyber risk culture and their management of cyber risks, beyond their IT departments, are unsurprisingly in the strongest position for negotiations of cyber insurance quotations and coverage.”
ASIC to scrutinise directors who ignore cyber security – The Australian https://t.co/Hocb7ztrNy
— seczine.com (@CYSEC_COM) March 12, 2017
Paul Kallenbach, MinterEllison Technology Partner and cyber expert said, “Cyber attacks can entirely shut down businesses, causing significant (and sometimes irreparable) damage to corporate and government reputations, relationships and systems”.
ASIC’s four-year plan released last year identified cyber resilience as a key priority, signalling increased regulatory scrutiny of this issue. The regulator’s cyberrisk taskforce (financial markets) is collaborating with industry, regulators and the government on the issue.
“Regulators are alive to this and it may well be we start seeing some serious regulatory action when it comes to cyber,” Kallenbach said.
“They are setting the scene I would say. Woe betide the organisation that carelessly does not address this.”
Willis Towers Watson has launched a Cyber Risk Culture Survey solution. Comprising a cyber risk employee survey, it is the first of its kind in the marketplace and connects human capital and workplace culture to employer cyber risk vulnerability. The solution addresses companies’ leading challenges relating to cyber risk, such as tracking the extent of risk inherent in their employee’s behaviours, determining ways to mitigate this factor, and ultimately building a cyber smart workforce.
Hamish Deery, Asia-Pacific head of Talent and Rewards for Willis Towers Watson said the data clearly shows that companies who have had cyber breaches have a different cultural profile. He commented: “Their employees’ experience includes a relatively poor induction when joining the company. Especially in IT, this is a serious source of risk if new staff is not effectively trained to manage cyber risk.
“The inability to create an ongoing learning environment is also evident, including knowledge of how to circumvent hackers’ attempts to acquire confidential and sensitive data. Failing to sufficiently emphasise a customer focus, and appropriate incentive and training programs to support the management of cybersecurity are also evident in those companies who have had breaches. Understanding and addressing these workplace cultural elements is a first step to creating an environment that supports a holistic, integrated risk mitigation strategy.”