Recent headlines about data breaches, stolen assets and network outages reflect the very real threat of cyber risk. For example, it has been reported widely that recent cyber attack ‘WannaCry’ was enabled through phishing emails (i.e., employees had to click on an infected link to enable the ransomware). What roles do company culture, employee opinion and behavior play in preventing such incidents? And how can employers harness these factors to mitigate the risk of threats to the security of data and intellectual property?

Did you know that employee negligence and malicious acts — including lost laptops, the accidental disclosure of information and actions of rogue employees — cause two-thirds (66%) of cyber breaches? By contrast, 18% of breaches are directly driven by external threats (Figure 1).

Figure 1. Percentage of claims by breach

Willis Towers Watson Media

Source: Willis Towers Watson claim data

How can employers measure the risk inherent in their employees’ behaviors, determine how to lessen this risk and build a cyber smart workforce?

Willis Towers Watson Cyber Risk Culture Survey
Willis Towers Watson is a proven leader in employee opinion surveys and cyber risk management. Combining these two areas of expertise, we’ve developed the Cyber Risk Culture Survey to help organizations of all sizes and across all industries reduce their cyber risk by creating a culture of heightened awareness and cyber-savvy behavior.

Our survey is grounded in the latest research on employee opinion as well as cyber risk trends and research findings. We target survey questions to the right levels (e.g., corporate or local) and groups (e.g., functions or departments) to yield the most actionable findings. Our Employee Insights and Cyber Risk teams then analyze the results and identify your organization’s high-risk areas. In addition, we link the data to specific risk factors, and to potential talent and reward solutions and other risk mitigation strategies. We can also compare your results to those of other organizations in your industry and high performers worldwide.

Cyber Risk Culture Surveys can be delivered via our fast self-service Pulse Software, or through a fully supported and managed survey.

Willis Towers Watson Media

Which aspects of culture leave companies vulnerable to cyber risk?

To identify the vulnerable aspects of culture in companies that have experienced data breaches, we analyzed employee survey results from our world-leading database (that includes responses from over four million employees in 400 organizations across all business sectors and world regions). We compared employee opinion scores from breached companies with two sets of benchmark data from our database:

Benchmark 1: Global high-performance companies. These 28 organizations, financial leaders in their industries, have above-average, top-and bottom-line performance compared with sector-specific average scores over a 36-month period. This benchmark includes organizations with the most favorable employee opinions in the database.

Benchmark 2: Global IT staff. These benchmark data include responses from IT staff across organizations globally, with the opinions of over 400 companies and more than 160,000 IT workers represented. We compare opinion scores from IT functions in the breached companies with the data from this benchmark group.

Willis Towers Watson findings suggest that environments experiencing cyber breaches may lack:

  • A laser sharp focus on customers and responsiveness to their needs
  • A strong company image fostered among employees to show commitment to social responsibility
  • Comprehensive training to help employees, especially IT staffers, thoroughly understand their jobs


What implications does this have for mitigating cyber risk?

Employee negligence and malicious behavior cause most cyber-related incidents. So it’s important for employers to use all the tools available for breach prevention, including:

  • A strong, risk-averse culture
  • An effective talent strategy that includes recruitment, onboarding and retention
  • Targeted training and incentive programs as well as policies to ensure compliance
  • Embedding your organization’s culture with an emphasis on risk awareness is the first step in creating a workplace environment that supports a holistic, integrated risk mitigation strategy.
Figure 2. An integrated process that brings critical insights, best-in-class protections and aggressive recovery resources to an organization's cyber risk profile

 Willis Towers Watson Media