Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
willistowerswatson.com
Decoding Cyber Risk
2017 Willis Towers Watson Cyber Risk Survey
US results
© 2017 Willis Towers Watson. All rights reserved.
willistowerswatson.com
Many threats exist around employee behaviors, and the
vulnerabilities they create will be a top priority over the next
three years.
Immediate priorities are: Training for employees and contractors
Reviewing the cyber insurance gap and adding coverage
Executive summary
2© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Cybersecurity is viewed as a fundamental challenge and a top
priority for organizations.
Many companies feel they are on the right track in terms of
data privacy and information security risk management.
But most recognize that this is a journey, and many are looking
to create a culture of cybersecurity in their organization.
willistowerswatson.com
About the survey
US responses
3© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
companies from the US; with respondents covering
Risk Management, Finance and Accounting, IT and
HR
employees from the US
82% of whom use a computer, tablet or other IT
device in their job sometimes or frequently
507 work in a corporate IT function
92
2,073
Cyber riskDeveloping a culture of cybersecurity
willistowerswatson.com
Cyber security is a fundamental challenge for US business
One in five companies have suffered a cyber breach in the last year
5© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Source: 2017 WTW Cyber Risk Survey, US.
20%
reported that their
organizations have been
impacted by a cyber
breach in the last year.
reported occasions
when senior leaders
have put
confidential
information at
risk over the last
three years.
(Percentage of Somewhat
significant/Significant/Very significant/Extremely
significant)
16%
(Percentage of Strongly agree or Agree)
3% 3% 13%
Extremely significant / Very significant
Significant
Somewhat significant
Note: May not sum to total due to rounding.
willistowerswatson.com
see cyber security as a
fundamental
challenge for their
business.
Cyber security is a fundamental challenge for US business
Two-thirds see cyber risk as a fundamental challenge to their business
6© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Source: 2017 WTW Cyber Risk Survey, employer survey, US.
view cyber security as
a top priority for
their company.
66%
22%
12% 66%
ANOTHER RISK TO
THE BUSINESS
NEUTRAL
FUNDAMENTAL
CHALLENGE
85%
(Percentage of
Strongly agree or
Agree)
willistowerswatson.com
Companies aspire to develop a culture of cyber security
Companies have adopted a wide range of cyber risk management activities, but
few have embedded them into their company culture
7© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
No StrategyAdopt
Strategy
Communicate
and Deliver
Culture of
Cyber Security
Implemented various
risk management
activities but have not
formally articulated a
cyber strategy
Adopted and
articulated a cyber risk
strategy with stated
objectives and goals for
each program
Effectively
communicated the
cyber risk strategy with
stated objectives and
goals to employees
Embedded cyber risk
management within our
company culture
Today In 3 years
Which of the following best describes what your organization has accomplished in your cyber risk strategy to date and what you expect to accomplish in the next three years?
53%
0%
11%
4%
28%
4%
8%
85%
Source: 2017 WTW Cyber Risk Survey, employer survey, US.
Cyber riskActions, priorities and barriers
willistowerswatson.com
The initial focus was chiefly on technology, but increasingly this will
shift to employee behavior and operating procedures
9© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Over the last three years Over the next three years Changes
Improve the technology
systems and infrastructure 76% 68% -8
Improve business and
operating processes 58% 72% +14
Address factors tied to human
error or actions 52% 74% +22
To what extent has your organization made progress in the following areas to mitigate vulnerability to a cyberattack over the last/next three years?
Source: 2017 WTW Cyber Risk Survey, employer survey, US.
Note: Percentages indicate ‘To a great extent’ or ‘To a very great extent’.
willistowerswatson.com
Review of key risk areas 99%
Review of our systems 99%
Testing robustness of systems / vulnerability to attack 98%
Provide regular updates to employees about new
security threats95%
Audit of our processes 94%
Testing of emergency response plan 97%
Review of contractors and third-party suppliers 89%
Comprehensive training program on cyber risks for
employees94%
Comprehensive training program on cyber risks for
non-employees (e.g., contract worker)61%
The initial focus was chiefly on technology, but increasingly this will
shift to employee behavior and operating procedures
10© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Has your organization completed in the last two years, or does it plan to complete in the next two years,
any of the following cyber risk related activities?
82%
81%
76%
70%
68%
66%
56%
53%
24%
30%
30%
34%
39%
38%
40%
43%
52%
42%
Completed in the last two years Plan to complete in the next two years
Source: 2017 WTW Cyber Risk Survey, employer survey, US.
Co
mp
lete
d o
ve
r las
t two
ye
ars
or
pla
n to
co
mp
lete
in n
ex
t two
ye
ars
willistowerswatson.com
Over nine in 10 companies have reviewed or will review their
existing cyberinsurance, with eight in 10 looking to enhance
coverage
11© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Review and identify gaps in
existing insurance coverage
Add or enhance
cyberinsurance coverage
94%Completed over last two years or
plan to complete in next two years 81%Completed over last two years or
plan to complete in next two years
37%
Complete in
next 2 years
66%Completed in
last 2 years
9% do both
36%
Complete in
next 2 years
54%Completed in
last 2 years
9% do both
Source: 2017 WTW Cyber Risk Survey, employer survey, US.
willistowerswatson.com
67% 15% 18%
Centralized Neutral Decentralized
Most organizations have centralized their approach to data privacy
and information security
12© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
To what extent does your organization have a centralized or decentralized approach to data
privacy and information security?
Note: Centralized = respondents giving a 1 to 3 score; Decentralized = respondents giving a 5 to 7 score; Neutral = respondents giving a 4 score.
Source: 2017 WTW Cyber Risk Survey, employer survey, US.
willistowerswatson.com
Most companies feel they have appropriate levels of resources,
clearly defined roles and responsibilities, and consistent policies
13© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Source: 2017 WTW Cyber Risk Survey, employer survey, US.
Note: Percentages indicate Agree or Strongly agree.
But concerns exist
about sufficient
budgets and room
for improvement in
how risk
management and
HR work together
Our organization has an appropriate amount of support from
centralized (corporate-level) resources78%
It is clear which parts of the company are responsible for data
privacy and information security73%
Our organization does an effective job of finding the most
qualified individuals to support our cyber risk operations69%
Our organization has an appropriate amount of local-level support 65%
Our organization has consistent data management and
information security policies across all aspects of the business63%
Our organization has adequate budgets to meet all its cyber risk
management needs43%
The risk management and HR functions work closely together on
cyber risk management37%
willistowerswatson.com
Insufficient employee understanding of
cyber risks
Ineffective structure and processes
Insufficient budgets
Insufficient internal training on cyber risks
Lack of clear business strategy on cyber risks
Lack of internal expertise
Insufficient leadership engagement with
cyber risk agenda
Insufficient insurance coverage of cyber risks
A lack of employee awareness, ineffective processes and
insufficient budgets are perceived as the key cyber risks
14© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
13%
7%
5%
10%
13%
7%
8%
4%
21%
25%
24%
17%
13%
18%
17%
12%
45%
28%
40%
36%
33%
32%
22%
26%
To what extent are the following barriers preventing your organization from effectively managing its cyber risks?
To a very great extent / To a great extent To a moderate extent To a slight extent Not at all
Source: 2017 WTW Cyber Risk Survey, employer survey, US.
Cyber riskDoes employee behavior match company policy?
willistowerswatson.com
77% 63%
The organization communicates
effectively to employees about
data privacy and network best
practices.
Our organization has consistent
data management and information
security policies across all aspects
of the business.
Opening any email on my work computer is safe(% of ‘Strongly agree’ or ‘Agree’)
Discussed work-related topics in public places(% of ‘Frequently’ or ‘Sometimes’)
Shared network password with a work colleague(% of ‘Yes’)
Developed an issue with your work computer due
to an action you took (e.g., surfing websites, downloading software) (% of ‘Yes’)
A large number of employees assume central IT is protecting them
16© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Source: 2017 WTW Cyber Risk Survey, employer survey and employee survey, US.
Employee Behavior
46%
41%
15%
15%
(% of ‘Strongly agree’ or ‘Agree’) (% of ‘Strongly agree’ or ‘Agree’)
Employer View
willistowerswatson.com
43%
34%
32%
Among them, eight in 10
reported the suspicious
email to IT department
Are employees comfortable reporting incidents?
17© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Source: 2017 WTW Cyber Risk Survey, employer survey & employee survey, US.
Employee Behavior
Employer View
Received a suspicious email at work meant to trick
you into opening a harmful link or attachment
Witnessed co-workers behaving in
ways inconsistent with data privacy
and information security policies
Discussed information security risks
with your immediate manager
believe that they have provided an environment in which employees are comfortable
reporting about data privacy and data security.93%
Only spoke with
those individuals
53%Reported to manager or
IT department
31%
Took no action15%
know the steps to
take if they suspect
sensitive information
is at risk or has been
stolen.
(% of ‘Yes’)
80%
willistowerswatson.com
Over half of employers perceive data privacy threats by employees
or contractors ─ but employees are less aware
18© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Source: 2017 WTW Cyber Risk Survey, employer survey & employee survey, US.
Note: Percentages indicate ‘Agree’ or ‘Strongly agree’.
59% Employers
40% All employees
56%IT
professionals
A disgruntled employee or contractor could deliberately compromise our systems or steal
customer/client data?
willistowerswatson.com
Remove paper files with
confidential information from the
office to do work at home27%
Sent or received an important or
confidential work file via email
without password protection23%
Sent a confidential work file via
email to the wrong recipient11%
Does employee behavior match company policy?
19© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Source: 2017 WTW Cyber Risk Survey, employer survey & employee survey, US.
75%of organizations have a strict
policy regarding applications
and software that can be
downloaded by employees.
72%of employers believe that they
are doing enough to protect the
integrity of customer/client data.
Employer View Employer View
Employee Behavior Employee Behavior
Use personal computing devices
that have not been approved by
your company’s IT department to
do work at home
22%
Downloaded software onto your
work computer that was not
approved by your IT department18%
(% of ‘Frequently’ or ‘Sometimes’)
(% of ‘Yes’)
(% of ‘Yes’)
(% of ‘Yes’)
(% of ‘Frequently’ or ‘Sometimes’)
(% of ‘Strongly agree’ or ‘Agree’) (% of ‘Strongly agree’ or ‘Agree’)
willistowerswatson.com
Protection from social engineering attacks Vulnerabilities to social engineering attacks
Disable features that let you auto-save
passwords on your personal computing
devices
Purchase a personal identity theft
protection service
Only change the password on my work
computer when prompted
Share personal information (e.g., date of
birth, employer name, job title) in profiles
on social media sites
Use the same passwords across all your
personal computing devices
Awareness of social engineering risk among employees needs to
be enhanced
20© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Regarding how you use technology, do you…?
28%
56%
34%
33%
Source: 2017 WTW Cyber Risk Survey, employee survey, US.
69%
willistowerswatson.com
It improved my
understanding of the steps I
need to take to better protect
confidential information
78%
It increased my sense of
personal responsibility for
data security at work77%
It taught me something new
about data and information
security71%
It motivated me to change
how I manage my personal
computing devices63%
How engaged are employees with their company training programs?
Nearly half of employees spent less than 30 minutes in training in the last year.
21© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Source: 2017 WTW Cyber Risk Survey, employee survey, US.
None Less than 10
minutes
10 minutes to less
than half an hour
Half an hour to
less than one hour
One hour to less
than half a day
Half a day to less
than 1 work day
1work day
or more
45%
Over the past 12 months, how much time have you
spent in training specific to data protection and information security at your company? 61%
61% of employees
completed the training only
because it was required by
their companies.
Employees benefit from training
(% of ‘Strongly agree/Agree’)
(% of ‘Strongly agree/Agree’)
25%
9%11%
19% 18%
8%10%
None Less than 10 minutes 10 minutes to less than half an hour Half an hour to less than one hour One hour to less than half a day Half a day to less than 1 work day 1 work day or more
willistowerswatson.com
?
We define four types of employees according to how they use
technology at work or at home
22© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Alert Comply Ignore UnconcernedEmployees who protect
personal information in
daily life and are aware of
information security at
work
Employees who behave at
work in compliance with
data/information protection
policies but are careless
with personal behaviors
Employees who pay
attention to the protection
of personal information, but
whose behaviors at work
fall short
Employees whose
behaviors of using
technology both at work
and at home may lead to
potential cyber risks
37% 24% 21% 18%
Source: 2017 WTW Cyber Risk
Survey, employee survey, US.
Based on the
following
questions:
PE
RS
ON
AL
BE
HA
VIO
RS - Use the same passwords across all of personal computing devices
- Do not purchase a personal identity theft protection service
- Share personal information in profiles on social media sites
- Do not regularly update virus protection software on personal computing devices
- Do not change passwords for personal email and online accounts at least once every 3 months
- Do not disable features that auto-save passwords on personal computing devices
WO
RK
BE
HA
VIO
RS - Use personal computing devices that have not been approved by company’s IT department to do work at home
- Remove paper files with confidential information from the office to do work at home
- Downloaded software onto work computer that was not approved by IT department
- Developed an issue with work computer due to an action employees took
- Shared network password with a work colleague
- Sent or received an important or confidential work file via email without password protection
- Lost a piece of work equipment
- Sent a confidential work file via email to the wrong recipient
willistowerswatson.com
Behavior is strongly linked to training time, type of work and age
23© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Source: 2017 WTW Cyber Risk Survey, employee survey, US.
30%
33%
22%
42%
34%
41%
51%
39%
27%
17%
38%
50%
15%
31%
16%
16%
25%
28%
33%
12%
9%
25%
17%
26%
23%
18%
22%
20%
17%
19%
17%
18%
17%
10%
18%
23%
Less than 30 minutes
At least half day
IT
Non-IT
Male
Female
Boomers
Gen X
Gen Y
Alert
Comply
Ignore
Unconcerned
Cyber risk
Work safe
Time spent in training specific to data protection and information security
Primary type of work
Gender
Generation
Cyber riskKey insights
Key insights
People risks are the next frontier in cyber risk management
There is a disconnect between company policy and employee behavior
Employees are overly reliant on company IT to provide cyber security
Employees need to move from complying to actively engaging in their training
Social engineering creates additional vulnerabilities that need to be addressed
25© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Many companies feel they are on the right track with their
information security and infrastructure and operational policies1
Large majority of companies have reviewed and enhanced their
cyber insurance cover or plan to do so in next two years2
Companies are shifting focus to tackle people risks and build a
culture of risk management3
Check your insurance policies
Key insights
Company actions
26© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Continuously evolve with the changing threats1
Encourage employees to go beyond compliance2
Train to win3
4
Cyber riskAppendix: US - UK
comparison
US employers take the lead in action
28© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Source: 2017 WTW Cyber Risk Survey, employer survey, US; 2017 WTW Cyber Risk Survey, employer survey, UK.
81% 65%
Completed reviewing their systems
Over last two years:
Provided regular updates to employees
about new security threats
70%51%
Employers say that:
They provide an environment in
which employees are comfortable
reporting concerns about data
privacy and information security
93% 82%
They communicate effectively to
employees about data privacy
and network best practices77% 68%
Managers set clear expectations
regarding how employees need
to handle confidential
customer/client information
72% 63%
They are doing enough to protect
the integrity of customer/client
data72% 63%
They have consistent data
management and information
security policies across all
aspects of the business
63% 58%
US UK
(% of ‘Strongly agree’ or ‘Agree’)
The percentage of US employers thinking that cyberinsurance coverage
meets their needs is nearly twice of that of UK employers
29© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Source: 2017 WTW Cyber Risk Survey, employer survey, US; 2017 WTW Cyber Risk Survey, employer survey, UK.
62%of US employers
38%of UK employers
Our cyber
insurance coverage
is comprehensive
enough to meet our
needs
Review and identify gaps in
existing insurance coverage
Add or enhance cyber-
insurance coverage
94%
of US employersCompleted over last two years or plan to complete
in next two years
37%Complete in
next 2 years
66%Completed in
last 2 years
9% do both
87%
of UK employers
vs
51%Complete in
next 2 years
42%Completed in
last 2 years
6% do both
81%
of US employersCompleted over last two years or plan to complete
in next two years
36%Complete in
next 2 years
54%Completed in
last 2 years
9% do both
71%
of UK employers
vs
45%Complete in
next 2 years
26%Completed in
last 2 years
Completed in the last two yearsPlans to complete in the next
two years
Completed over last two years
or plan to complete in next two
years
US
UK
Both US employers and UK employers see the importance of
training
30© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Source: 2017 WTW Cyber Risk Survey, employer survey, US; 2017 WTW Cyber Risk Survey, employer survey, UK.
53%
36%
52%
63%
Has your organization completed in the last two years, or does it plan to complete in the next two
years, a comprehensive training program on cyber risks for employees?
94%
90%
Cyber riskAppendix: Additional
material
willistowerswatson.com
43%
34%
32%
23%
18%
15%
15%
13%
11%
Many threats exist, especially around employee behaviors
32© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Received a suspicious email at work meant to trick you into opening a harmful link or attachment
Sent a confidential work file via
email to the wrong recipient
Lost a piece of work equipment (e.g., computer, portable storage device, cellular
device)
Developed an issue with your work computer (such
as a virus or damaged files) due to an action you took (e.g., surfing websites, downloading software)
Shared your network password with a
work colleague
Downloaded software onto your work computer
that was not approved by your IT department
Sent or received an important or confidential work file via
email without password protection
Discussed information security risks with your immediate manager
Witnessed co-workers behaving in ways inconsistent with data privacy and
information security policiesAmong them, eight
in 10 reported the
suspicious email to
IT department
Spoke with only
those individuals
or took no action
For each of the following, have you ever…?
Among those who have witnessed co-
workers behaving in ways inconsistent
with data privacy and information
security policies:
Source: 2017 WTW Cyber Risk Survey, employee survey, US.
53%
Reported to manager
or IT department
VS 46%
willistowerswatson.com
Our IT systems are fit for purpose
Our cyber risk strategy is fit for purpose
Our organization has a strong culture of risk
management
Our business processes are fit for purpose
Our cyber insurance coverage is
comprehensive enough to meet our needs
We effectively manage cyber risks excluded
from our insurance coverage
About three-quarters of organizations feel their IT systems and cyber
security strategy are fit for purpose
But there is a lack of confidence in cyber insurance coverage
33© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Do you agree or disagree with the following statements about how your organization manages cyber risk?
77%
73%
72%
65%
62%
55%
Note: Percentages indicate ‘Agree’ or ‘Strongly agree’.
Source: 2017 WTW Cyber Risk Survey, employer survey, US.
willistowerswatson.com
The organization provides an environment in which employees are comfortable
reporting concerns about data privacy and information security
Our company has the right processes in place to react to data privacy and
security threats
Our organization effectively manages the data privacy and security threats that
could be caused by our employees and contractors
The organization has a strict policy regarding applications and software that
can be downloaded by employees
Our company is doing enough to protect the integrity of customer/client data
Our organization is highly protected from attempts by outsiders to gain access
to our systems or data
Most employers have effective policies to manage data privacy threats by
employees, manage software downloads and respond to security threats
And nearly three-quarters feel they have done enough to protect client data, including
against outsiders breaking into their systems
34© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Do you agree or disagree with the following statements about how your organization manages data privacy and information security?
93%
79%
78%
75%
72%
72%
Source: 2017 WTW Cyber Risk Survey, employer survey, US.
Note: Percentages indicate ‘Agree’ or ‘Strongly agree’.
willistowerswatson.com 35© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
Senior management
is strongly
committed to the
protection of all
confidential data
The organization
communicates
effectively to
employees about
data privacy and
network best
practices
Managers set clear expectations
regarding how employees need to handle confidential
customer/client information
Nearly eight in 10 employers say that they have strong commitment from
senior management, effective communication to employees and have set
clear expectations to employees
89% 77% 72%
Source: 2017 WTW Cyber Risk Survey, employer survey & employee survey, US.
Note: Percentages indicate ‘Agree’ or ‘Strongly agree’.
78% 75% 74%
Employer View
Employee View
willistowerswatson.com
Most employees feel they know how to manage data privacy and
information security in their jobs But still, two-thirds are pushed to change their password, and half are not aware of risks
when opening emails on work computers
36© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
82%
I know the steps to take if I suspect sensitive information is at
risk or has been stolen
I have read and understood my company's policies regarding
data privacy and information security
I know where to find the information I need to understand
data privacy and information security risks
I only change the password on my work computer when
prompted
Opening any email on my work computer is safe
76%
80%
69%
46%
(% of ‘Strongly agree’ or ‘Agree’)
Source: 2017 WTW Cyber Risk Survey, employee survey, US.
willistowerswatson.com 37© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
How often do you do each of the following?
(% of ‘frequently’ or ‘sometimes’)
Source: 2017 WTW Cyber Risk Survey, employer survey, US.
Vulnerabilities around employee behaviors
Use your work computer or cellular device to access confidential
company information41%
Discuss work-related topics in public places 41%
Log into your work computer or cellular device using an unsecured
public network (Wi-Fi)32%
Use your work computer in public settings (e.g., while commuting, on airplanes/trains, at cafes)
31%
Remove paper files with confidential information from the office to do
work at home27%
Use personal computing devices that have not been approved by your
company's IT department to do work at home22%
willistowerswatson.com
Require employees
to create strong
passwords
(e.g., set minimum
length, include upper
and lower case
letters, use numbers
and symbols)
Require employees
to change
passwords at least
every three months
Have a disciplinary
policy to enforce
the data protection
policy
Require portable
storage devices
used for company
business to be
encrypted at a
standard set by the
company
Prohibit the use of
portable storage
devices
Policies to enhance cyber security
38© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.
85%
2017
2019*
95%
76%
2017
2019*
91%
65%
2017
2019*
71%
52%
2017
2019*
73%
46%
2017
2019*
60%
*Includes companies indicating planned for 2018 or considering for 2019.
Which specific policies does your organization have in place or plan to have in the next few years?
Source: 2017 WTW Cyber Risk Survey, employer survey, US.