Workforce culture, customer focus and employee training impact cyber-risk

Willis Towers Watson data reveals correlations between employee opinions and cyber-breaches

Arlington, VA (May 27, 2016) – Organizations experiencing data breaches are judged by their employees as lacking a learning culture and failing to put the customer at the center of business activity, according to a new analysis from leading global advisory, broking and solutions company Willis Towers Watson.

To more closely examine the extent of cyber-risk inherent in employee behavior, Willis Towers Watson analyzed employee survey results across its rich database, capturing employee opinions from over 450,000 employees corresponding to a period during which significant data breaches were identified within their firms. These results were then benchmarked against global high-performance companies and global information technology (IT) staff, drawing on Willis Towers Watson’s world-leading database of employee opinion survey data.

The results, published in a client alert titled Inside Threat: Why Employee Behavior and Opinions Impact Cyber-Risk, provide a snapshot of employee opinions within firms that have experienced cyber-breaches and suggest a fundamental emphasis on workforce culture may be the first line of defense against cyber-risk.

Key findings

As expected, there were significant gaps in favorable opinion scores between employees in data breach groups and each benchmark.

Compared to the high-performance group, employees at data breach companies report significantly lower scores in three areas of workforce culture:

  • Training
  • Company image
  • Customer focus

Compared to the IT employee group, IT workers in data breach companies have less favorable views of training and score especially low on perceived training of new employees. The analysis points to new staff as a blind spot and potential serious source of cyber-risk if not effectively trained in processes and procedures.

Compared to the IT employee group, pay for performance emerges as a challenge. The findings indicate that frontline IT staff in data breach companies perceive a misalignment between their efforts and associated rewards, potentially undermining efforts to identify and manage cyber-risk.

Compared against both benchmarks, employees in data breach companies indicated a widespread lack of customer focus. This finding is significant from a risk management perspective, as it could set the stage for poor decision making and undermine the vigilance needed to counteract attempts to steal online customer information.

Commenting on the findings, Patrick Kulesa, global research director, Willis Towers Watson’s Research and Innovation Center, said, “These data are significant because they offer an inside view of workforce culture and for the first time reveal the vulnerabilities within companies experiencing cyber-breaches based on the ultimate insiders — their employees.”

“There is broad awareness of the human element as a risk factor in data security breaches. However, to more effectively manage cyber-risk, organizations need to better understand how the various elements of their workforce culture shape their employees’ behavior and, ultimately, either reduce or drive their exposure to cyber-risk,” said Adeola Adele, employment practices liability product and cyber-thought-leader of Willis Towers Watson’s FINEX North America practice.

To respond to the range of cyber-risks stemming from inside threats, Willis Towers Watson experts suggest a series of prevention priorities for organizations, including:

  • Focus on an enterprise-wide approach to setting cyber-strategy, with collaboration across corporate functions including IT, HR, Legal, Operations and Finance.
  • Invest in making the workforce cyber-smart through comprehensive training and a combination of rewards and disincentives to encourage a culture supportive of cyber-security.
  • Consider technology one of several lines of defense. While technological defenses are critical, they are not a sufficient response on their own.
  • After risk management strategies are employed, companies can insure for cyber-threats they cannot mitigate.

To read the full report, click here.

About Willis Towers Watson

Willis Towers Watson (NASDAQ: WLTW) is a leading global advisory, broking and solutions company that helps clients around the world turn risk into a path for growth. With roots dating to 1828, Willis Towers Watson has 39,000 employees in more than 120 countries. We design and deliver solutions that manage risk, optimize benefits, cultivate talent, and expand the power of capital to protect and strengthen institutions and individuals. Our unique perspective allows us to see the critical intersections between talent, assets and ideas – the dynamic formula that drives business performance. Together, we unlock potential. Learn more at

Source: Willis Towers Watson