· News

Untrained staff biggest cyber security risk

Research reveals that a lack of staff training is leaving organisations vulnerable, with more collaboration between HR and IT needed

The majority of executives (87%) cite untrained staff as the greatest cyber risk to their business, according to research from Willis Towers Watson.

Compounding this is the fact staff training is ranked among the categories to have made the least progress when measured against the National Institute of Standards and Technology (NIST) cyber security framework.

The research also identified the most common types of attacks to include malware/spyware (81%) and phishing (64%), with external unsophisticated hackers (59%) and cyber criminals (57%) identified as the next biggest external threats.

As workforce vulnerabilities contribute to most cyber incidents, two-thirds of companies surveyed believe HR and information security partnership is key. When asked who takes the lead role in developing employee-related cyber risk policies, 54% said HR leads with information security advising, and 28% said information security leads with HR advising.

Anthony Dagostino, global head of cyber risk solutions at Willis Towers Watson, said that while the results show HR is playing a vital role in cyber security, there could be greater collaboration between IT and HR.

“These findings are encouraging because they signal that more organisations are involving their HR function in addressing cyber risk. Still, organisations need greater collaboration between their CHROs and their CISOs to truly assess the organisational culture driving cyber risk in the first instance,” he said.

"The solution isn’t always more security awareness training. It could be a leadership or incentives and rewards issue, things that fall squarely within the function of the CHRO,” Dagostino added.

Rona Beattie, a professor in human resource development at Glasgow Caledonian University, told HR magazine that organisational security is often not regarded as a people issue.

“Organisational security has three key strands: cyber, physical and people. Normally they are addressed and resourced in that order; that is if people security is even considered at all,” she said. “Yet computers and IT, and physical barriers, are designed and operated by people. In effect people are an organisation's strongest and weakest link; we're all one click away from sending data into the wrong hands, as we've seen repeatedly across sectors with 'leaks' of personal data, customers and staff.”

She said that the dangers surrounding cyber security mean that everyone in an organisation should have an understanding of security with regards to their role.

“Add into that risk the potential for a malicious insider to create significant harm because of their organisational knowledge and access to critical resources," she said. "The three strands of security need to be seen holistically. People security should be regarded similarly to health and safety, with everyone having a level of responsibility related to their role and level.”

The Willis Towers Watson report is based on a global survey of 1,300 organisations, meetings with an advisory panel, in-depth interviews with leading experts, and benchmarking analysis. The research was conducted in conjunction with a coalition of sponsors including Protiviti, Baker McKenzie, CyberCube, HP Inc., KnowBe4, Opus, and Security Industry.