As the connections between employees' actions and cyber threats become stronger, effective boards and C-suites are prioritizing their role in the integrated governance of human capital and cyber risk.
WTW's 2024 Global Directors and Officers Survey Report reveals cyberattacks and data loss as two of the top three risks globally. (The top risk is health and safety, which can impact employee judgment and actions). Numerous studies connect the role of human behavior (and error) in cyber threats. For example, analysis of the U.K.'s Department for Science Innovation and Technology latest annual report discusses the impact of phishing, email breaches and ransomware.
But what happens when cybersecurity risks come from deliberate action by company insiders?
Insider cyber threats tend to be underestimated
Insider threats represent a significant yet often underestimated cyber risk to organizations. While external cyberattacks often dominate headlines and governance discussions, insider cyber threats can be equally — if not more — damaging because insiders have access to and knowledge of internal systems and processes. The 2024 Verizon Data Breach Investigations Report shows insiders were responsible for 35% of data breaches analyzed.
In a recent article, Insiders pose extreme threat to insurers' cybersecurity, WTW's Sean Plankey explores the nature of insider threats to specific companies and the potential impact on cybersecurity and mitigation strategies.
Effective boards and senior management teams ensure that they:
- Understand insider cybersecurity threats. An insider threat is a cybersecurity risk from people who have or had permission to access an organization's systems, data or premises. Insiders include current or former employees, contractors, partners or anyone with proprietary knowledge and access. In cybersecurity, insider threats can be intentional or unintentional. Effective boards and senior leaders evaluate the specific threats of intentional cyber incidents (those with malicious actions driven by money, revenge or ideology), including unauthorized access to customer databases, theft of intellectual property, changes to financial records and damage to critical systems. They also evaluate possible consequences, including potential financial losses, reputational damage, loss of customer trust, regulatory fines and legal liabilities.
- Implement access controls and enhance data protection. Effective boards and senior leaders establish and monitor comprehensive data security controls. They ensure protocols are in place to prevent insider threats, including encrypting sensitive data and implementing data loss prevention technologies. They create governance protocols that limit access to sensitive systems and data based on the principle of least privilege. This helps ensure that employees have access only to information necessary for their roles and reduces insider threats.
- Monitor and audit activity. Effective boards and senior leaders also create and follow governance protocols with tools to detect unusual or suspicious activities, such as unauthorized access attempts or unusual data transfers, which can help identify potential insider threats early. Boards receive and analyze regular reports from management that include key metrics on cyber events and outcomes, often in the form of monthly, quarterly and annual dashboards.
- Build cybersecurity culture and mindset through training and awareness. Effective boards and senior leaders foster and monitor a culture of cybersecurity vigilance and action, with a mindset focused on both incident prevention and swift and decisive reaction when an incident occurs. They ensure mandatory programs (with consequences for non-compliance) are in place to educate employees and managers about data and cybersecurity best practices, how to secure their data on a routine basis, the consequences of insider threats and what to do when an incident occurs.
- Clarify accountabilities for oversight and governance of cyber and human capital risk. Effective boards clarify their role versus management's role and what cyber and human capital issues are dealt with by which board committee versus with the full board and when. Effective organizations create meaningful roles for a chief information security officer, chief information officer, chief risk officer and chief human resource officer, all of whom have access and give reports to the board. Effective boards and senior leaders recognize there is overlap in responsibilities for these roles and create clear individual and shared accountabilities for topics such as disclosure, reduction of human errors, cyber risk, cybersecurity culture and broader human capital risk.
- Assess, quantify and mitigate risks. Along with increased board and CEO involvement in cyber risk oversight and broader compliance issues, organizations are significantly increasing their budgets for cybersecurity to manage growing risks. Effective boards review broad cyber risk assessments conducted by management that test the organization's level of cyber maturity. They oversee cyber risk quantification analysis to better understand the potential financial, reputational and regulatory impact of cyber events before they happen. These analyses help identify mitigation strategies (including additional protection protocols, infrastructure investments and cyber and liability insurance) to reduce the impact of events when they happen.
Effective boards and senior leaders seek not just to identify and catch bad actors, but also to build resilience knowing events will occur regardless of preparation. Inevitably, something unplanned will happen. The goal for the organization is to have protocols in place to survive, triage, operate and recover. And the role of the board in all these processes is critical.
A version of this article originally appeared on Forbes on September 30, 2024.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.