Decoding Cyber Risk...privacy and information security? Note: Centralized = respondents giving a 1 to 3 score; Decentralized = respondents giving a 5 to 7 score; Neutral = respondents

willistowerswatson.com

Decoding Cyber Risk

2017 Willis Towers Watson Cyber Risk Survey

US results

© 2017 Willis Towers Watson. All rights reserved.


Many threats exist around employee behaviors, and the

vulnerabilities they create will be a top priority over the next

three years.

Immediate priorities are: Training for employees and contractors

Reviewing the cyber insurance gap and adding coverage

Executive summary

2© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.

Cybersecurity is viewed as a fundamental challenge and a top

priority for organizations.

Many companies feel they are on the right track in terms of

data privacy and information security risk management.

But most recognize that this is a journey, and many are looking

to create a culture of cybersecurity in their organization.


About the survey

US responses


companies from the US; with respondents covering

Risk Management, Finance and Accounting, IT and

HR

employees from the US

82% of whom use a computer, tablet or other IT

device in their job sometimes or frequently

507 work in a corporate IT function

92

2,073

Cyber riskDeveloping a culture of cybersecurity


Cyber security is a fundamental challenge for US business

One in five companies have suffered a cyber breach in the last year


Source: 2017 WTW Cyber Risk Survey, US.

20%

reported that their

organizations have been

impacted by a cyber

breach in the last year.

reported occasions

when senior leaders

have put

confidential

information at

risk over the last

three years.

(Percentage of Somewhat

significant/Significant/Very significant/Extremely

significant)

16%

(Percentage of Strongly agree or Agree)

3% 3% 13%

Extremely significant / Very significant

Significant

Somewhat significant

Note: May not sum to total due to rounding.


see cyber security as a

fundamental

challenge for their

business.

Cyber security is a fundamental challenge for US business

Two-thirds see cyber risk as a fundamental challenge to their business


Source: 2017 WTW Cyber Risk Survey, employer survey, US.

view cyber security as

a top priority for

their company.

66%

22%

12% 66%

ANOTHER RISK TO

THE BUSINESS

NEUTRAL

FUNDAMENTAL

CHALLENGE

85%

(Percentage of

Strongly agree or

Agree)


Companies aspire to develop a culture of cyber security

Companies have adopted a wide range of cyber risk management activities, but

few have embedded them into their company culture


No StrategyAdopt

Strategy

Communicate

and Deliver

Culture of

Cyber Security

Implemented various

risk management

activities but have not

formally articulated a

cyber strategy

Adopted and

articulated a cyber risk

strategy with stated

objectives and goals for

each program

Effectively

communicated the

cyber risk strategy with

stated objectives and

goals to employees

Embedded cyber risk

management within our

company culture

Today In 3 years

Which of the following best describes what your organization has accomplished in your cyber risk strategy to date and what you expect to accomplish in the next three years?

53%

0%

11%

4%

28%

4%

8%

85%


Cyber riskActions, priorities and barriers


The initial focus was chiefly on technology, but increasingly this will

shift to employee behavior and operating procedures


Over the last three years Over the next three years Changes

Improve the technology

systems and infrastructure 76% 68% -8

Improve business and

operating processes 58% 72% +14

Address factors tied to human

error or actions 52% 74% +22

To what extent has your organization made progress in the following areas to mitigate vulnerability to a cyberattack over the last/next three years?


Note: Percentages indicate ‘To a great extent’ or ‘To a very great extent’.


Review of key risk areas 99%

Review of our systems 99%

Testing robustness of systems / vulnerability to attack 98%

Provide regular updates to employees about new

security threats95%

Audit of our processes 94%

Testing of emergency response plan 97%

Review of contractors and third-party suppliers 89%

Comprehensive training program on cyber risks for

employees94%

Comprehensive training program on cyber risks for

non-employees (e.g., contract worker)61%

The initial focus was chiefly on technology, but increasingly this will

shift to employee behavior and operating procedures


Has your organization completed in the last two years, or does it plan to complete in the next two years,

any of the following cyber risk related activities?

82%

81%

76%

70%

68%

66%

56%

53%

24%

30%

30%

34%

39%

38%

40%

43%

52%

42%

Completed in the last two years Plan to complete in the next two years


Co

mp

lete

d o

ve

r las

t two

ye

ars

or

pla

n to

co

mp

lete

in n

ex

t two

ye

ars


Over nine in 10 companies have reviewed or will review their

existing cyberinsurance, with eight in 10 looking to enhance

coverage


Review and identify gaps in

existing insurance coverage

Add or enhance

cyberinsurance coverage

94%Completed over last two years or

plan to complete in next two years 81%Completed over last two years or

plan to complete in next two years

37%

Complete in

next 2 years

66%Completed in

last 2 years

9% do both

36%

Complete in

next 2 years

54%Completed in

last 2 years

9% do both



67% 15% 18%

Centralized Neutral Decentralized

Most organizations have centralized their approach to data privacy

and information security


To what extent does your organization have a centralized or decentralized approach to data

privacy and information security?

Note: Centralized = respondents giving a 1 to 3 score; Decentralized = respondents giving a 5 to 7 score; Neutral = respondents giving a 4 score.



Most companies feel they have appropriate levels of resources,

clearly defined roles and responsibilities, and consistent policies



Note: Percentages indicate Agree or Strongly agree.

But concerns exist

about sufficient

budgets and room

for improvement in

how risk

management and

HR work together

Our organization has an appropriate amount of support from

centralized (corporate-level) resources78%

It is clear which parts of the company are responsible for data

privacy and information security73%

Our organization does an effective job of finding the most

qualified individuals to support our cyber risk operations69%

Our organization has an appropriate amount of local-level support 65%

Our organization has consistent data management and

information security policies across all aspects of the business63%

Our organization has adequate budgets to meet all its cyber risk

management needs43%

The risk management and HR functions work closely together on

cyber risk management37%


Insufficient employee understanding of

cyber risks

Ineffective structure and processes

Insufficient budgets

Insufficient internal training on cyber risks

Lack of clear business strategy on cyber risks

Lack of internal expertise

Insufficient leadership engagement with

cyber risk agenda

Insufficient insurance coverage of cyber risks

A lack of employee awareness, ineffective processes and

insufficient budgets are perceived as the key cyber risks


13%

7%

5%

10%

13%

7%

8%

4%

21%

25%

24%

17%

13%

18%

17%

12%

45%

28%

40%

36%

33%

32%

22%

26%

To what extent are the following barriers preventing your organization from effectively managing its cyber risks?

To a very great extent / To a great extent To a moderate extent To a slight extent Not at all


Cyber riskDoes employee behavior match company policy?


77% 63%

The organization communicates

effectively to employees about

data privacy and network best

practices.

Our organization has consistent

data management and information

security policies across all aspects

of the business.

Opening any email on my work computer is safe(% of ‘Strongly agree’ or ‘Agree’)

Discussed work-related topics in public places(% of ‘Frequently’ or ‘Sometimes’)

Shared network password with a work colleague(% of ‘Yes’)

Developed an issue with your work computer due

to an action you took (e.g., surfing websites, downloading software) (% of ‘Yes’)

A large number of employees assume central IT is protecting them


Source: 2017 WTW Cyber Risk Survey, employer survey and employee survey, US.

Employee Behavior

46%

41%

15%

15%

(% of ‘Strongly agree’ or ‘Agree’) (% of ‘Strongly agree’ or ‘Agree’)

Employer View


43%

34%

32%

Among them, eight in 10

reported the suspicious

email to IT department

Are employees comfortable reporting incidents?


Source: 2017 WTW Cyber Risk Survey, employer survey & employee survey, US.

Employee Behavior

Employer View

Received a suspicious email at work meant to trick

you into opening a harmful link or attachment

Witnessed co-workers behaving in

ways inconsistent with data privacy

and information security policies

Discussed information security risks

with your immediate manager

believe that they have provided an environment in which employees are comfortable

reporting about data privacy and data security.93%

Only spoke with

those individuals

53%Reported to manager or

IT department

31%

Took no action15%

know the steps to

take if they suspect

sensitive information

is at risk or has been

stolen.

(% of ‘Yes’)

80%


Over half of employers perceive data privacy threats by employees

or contractors ─ but employees are less aware



Note: Percentages indicate ‘Agree’ or ‘Strongly agree’.

59% Employers

40% All employees

56%IT

professionals

A disgruntled employee or contractor could deliberately compromise our systems or steal

customer/client data?


Remove paper files with

confidential information from the

office to do work at home27%

Sent or received an important or

confidential work file via email

without password protection23%

Sent a confidential work file via

email to the wrong recipient11%

Does employee behavior match company policy?



75%of organizations have a strict

policy regarding applications

and software that can be

downloaded by employees.

72%of employers believe that they

are doing enough to protect the

integrity of customer/client data.

Employer View Employer View

Employee Behavior Employee Behavior

Use personal computing devices

that have not been approved by

your company’s IT department to

do work at home

22%

Downloaded software onto your

work computer that was not

approved by your IT department18%

(% of ‘Frequently’ or ‘Sometimes’)

(% of ‘Yes’)

(% of ‘Yes’)

(% of ‘Yes’)

(% of ‘Frequently’ or ‘Sometimes’)

(% of ‘Strongly agree’ or ‘Agree’) (% of ‘Strongly agree’ or ‘Agree’)


Protection from social engineering attacks Vulnerabilities to social engineering attacks

Disable features that let you auto-save

passwords on your personal computing

devices

Purchase a personal identity theft

protection service

Only change the password on my work

computer when prompted

Share personal information (e.g., date of

birth, employer name, job title) in profiles

on social media sites

Use the same passwords across all your

personal computing devices

Awareness of social engineering risk among employees needs to

be enhanced


Regarding how you use technology, do you…?

28%

56%

34%

33%

Source: 2017 WTW Cyber Risk Survey, employee survey, US.

69%


It improved my

understanding of the steps I

need to take to better protect

confidential information

78%

It increased my sense of

personal responsibility for

data security at work77%

It taught me something new

about data and information

security71%

It motivated me to change

how I manage my personal

computing devices63%

How engaged are employees with their company training programs?

Nearly half of employees spent less than 30 minutes in training in the last year.



None Less than 10

minutes

10 minutes to less

than half an hour

Half an hour to

less than one hour

One hour to less

than half a day

Half a day to less

than 1 work day

1work day

or more

45%

Over the past 12 months, how much time have you

spent in training specific to data protection and information security at your company? 61%

61% of employees

completed the training only

because it was required by

their companies.

Employees benefit from training

(% of ‘Strongly agree/Agree’)

(% of ‘Strongly agree/Agree’)

25%

9%11%

19% 18%

8%10%

None Less than 10 minutes 10 minutes to less than half an hour Half an hour to less than one hour One hour to less than half a day Half a day to less than 1 work day 1 work day or more


?

We define four types of employees according to how they use

technology at work or at home


Alert Comply Ignore UnconcernedEmployees who protect

personal information in

daily life and are aware of

information security at

work

Employees who behave at

work in compliance with

data/information protection

policies but are careless

with personal behaviors

Employees who pay

attention to the protection

of personal information, but

whose behaviors at work

fall short

Employees whose

behaviors of using

technology both at work

and at home may lead to

potential cyber risks

37% 24% 21% 18%

Source: 2017 WTW Cyber Risk

Survey, employee survey, US.

Based on the

following

questions:

PE

RS

ON

AL

BE

HA

VIO

RS - Use the same passwords across all of personal computing devices

- Do not purchase a personal identity theft protection service

- Share personal information in profiles on social media sites

- Do not regularly update virus protection software on personal computing devices

- Do not change passwords for personal email and online accounts at least once every 3 months

- Do not disable features that auto-save passwords on personal computing devices

WO

RK

BE

HA

VIO

RS - Use personal computing devices that have not been approved by company’s IT department to do work at home

- Remove paper files with confidential information from the office to do work at home

- Downloaded software onto work computer that was not approved by IT department

- Developed an issue with work computer due to an action employees took

- Shared network password with a work colleague

- Sent or received an important or confidential work file via email without password protection

- Lost a piece of work equipment

- Sent a confidential work file via email to the wrong recipient


Behavior is strongly linked to training time, type of work and age



30%

33%

22%

42%

34%

41%

51%

39%

27%

17%

38%

50%

15%

31%

16%

16%

25%

28%

33%

12%

9%

25%

17%

26%

23%

18%

22%

20%

17%

19%

17%

18%

17%

10%

18%

23%

Less than 30 minutes

At least half day

IT

Non-IT

Male

Female

Boomers

Gen X

Gen Y

Alert

Comply

Ignore

Unconcerned

Cyber risk

Work safe

Time spent in training specific to data protection and information security

Primary type of work

Gender

Generation

Cyber riskKey insights

Key insights

People risks are the next frontier in cyber risk management

There is a disconnect between company policy and employee behavior

Employees are overly reliant on company IT to provide cyber security

Employees need to move from complying to actively engaging in their training

Social engineering creates additional vulnerabilities that need to be addressed


Many companies feel they are on the right track with their

information security and infrastructure and operational policies1

Large majority of companies have reviewed and enhanced their

cyber insurance cover or plan to do so in next two years2

Companies are shifting focus to tackle people risks and build a

culture of risk management3

Check your insurance policies

Key insights

Company actions


Continuously evolve with the changing threats1

Encourage employees to go beyond compliance2

Train to win3

4

Cyber riskAppendix: US - UK

comparison

US employers take the lead in action


Source: 2017 WTW Cyber Risk Survey, employer survey, US; 2017 WTW Cyber Risk Survey, employer survey, UK.

81% 65%

Completed reviewing their systems

Over last two years:

Provided regular updates to employees

about new security threats

70%51%

Employers say that:

They provide an environment in

which employees are comfortable

reporting concerns about data

privacy and information security

93% 82%

They communicate effectively to

employees about data privacy

and network best practices77% 68%

Managers set clear expectations

regarding how employees need

to handle confidential

customer/client information

72% 63%

They are doing enough to protect

the integrity of customer/client

data72% 63%

They have consistent data

management and information

security policies across all

aspects of the business

63% 58%

US UK

(% of ‘Strongly agree’ or ‘Agree’)

The percentage of US employers thinking that cyberinsurance coverage

meets their needs is nearly twice of that of UK employers



62%of US employers

38%of UK employers

Our cyber

insurance coverage

is comprehensive

enough to meet our

needs

Review and identify gaps in

existing insurance coverage

Add or enhance cyber-

insurance coverage

94%

of US employersCompleted over last two years or plan to complete

in next two years

37%Complete in

next 2 years

66%Completed in

last 2 years

9% do both

87%

of UK employers

vs

51%Complete in

next 2 years

42%Completed in

last 2 years

6% do both

81%

of US employersCompleted over last two years or plan to complete

in next two years

36%Complete in

next 2 years

54%Completed in

last 2 years

9% do both

71%

of UK employers

vs

45%Complete in

next 2 years

26%Completed in

last 2 years

Completed in the last two yearsPlans to complete in the next

two years

Completed over last two years

or plan to complete in next two

years

US

UK

Both US employers and UK employers see the importance of

training



53%

36%

52%

63%

Has your organization completed in the last two years, or does it plan to complete in the next two

years, a comprehensive training program on cyber risks for employees?

94%

90%

Cyber riskAppendix: Additional

material


43%

34%

32%

23%

18%

15%

15%

13%

11%

Many threats exist, especially around employee behaviors


Received a suspicious email at work meant to trick you into opening a harmful link or attachment

Sent a confidential work file via

email to the wrong recipient

Lost a piece of work equipment (e.g., computer, portable storage device, cellular

device)

Developed an issue with your work computer (such

as a virus or damaged files) due to an action you took (e.g., surfing websites, downloading software)

Shared your network password with a

work colleague

Downloaded software onto your work computer

that was not approved by your IT department

Sent or received an important or confidential work file via

email without password protection

Discussed information security risks with your immediate manager

Witnessed co-workers behaving in ways inconsistent with data privacy and

information security policiesAmong them, eight

in 10 reported the

suspicious email to

IT department

Spoke with only

those individuals

or took no action

For each of the following, have you ever…?

Among those who have witnessed co-

workers behaving in ways inconsistent

with data privacy and information

security policies:


53%

Reported to manager

or IT department

VS 46%


Our IT systems are fit for purpose

Our cyber risk strategy is fit for purpose

Our organization has a strong culture of risk

management

Our business processes are fit for purpose

Our cyber insurance coverage is

comprehensive enough to meet our needs

We effectively manage cyber risks excluded

from our insurance coverage

About three-quarters of organizations feel their IT systems and cyber

security strategy are fit for purpose

But there is a lack of confidence in cyber insurance coverage


Do you agree or disagree with the following statements about how your organization manages cyber risk?

77%

73%

72%

65%

62%

55%




The organization provides an environment in which employees are comfortable

reporting concerns about data privacy and information security

Our company has the right processes in place to react to data privacy and

security threats

Our organization effectively manages the data privacy and security threats that

could be caused by our employees and contractors

The organization has a strict policy regarding applications and software that

can be downloaded by employees

Our company is doing enough to protect the integrity of customer/client data

Our organization is highly protected from attempts by outsiders to gain access

to our systems or data

Most employers have effective policies to manage data privacy threats by

employees, manage software downloads and respond to security threats

And nearly three-quarters feel they have done enough to protect client data, including

against outsiders breaking into their systems


Do you agree or disagree with the following statements about how your organization manages data privacy and information security?

93%

79%

78%

75%

72%

72%



willistowerswatson.com 35© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.

Senior management

is strongly

committed to the

protection of all

confidential data

The organization

communicates

effectively to

employees about

data privacy and

network best

practices

Managers set clear expectations

regarding how employees need to handle confidential

customer/client information

Nearly eight in 10 employers say that they have strong commitment from

senior management, effective communication to employees and have set

clear expectations to employees

89% 77% 72%



78% 75% 74%

Employer View

Employee View


Most employees feel they know how to manage data privacy and

information security in their jobs But still, two-thirds are pushed to change their password, and half are not aware of risks

when opening emails on work computers


82%

I know the steps to take if I suspect sensitive information is at

risk or has been stolen

I have read and understood my company's policies regarding

data privacy and information security

I know where to find the information I need to understand

data privacy and information security risks

I only change the password on my work computer when

prompted

Opening any email on my work computer is safe

76%

80%

69%

46%

(% of ‘Strongly agree’ or ‘Agree’)


willistowerswatson.com 37© 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only.

How often do you do each of the following?

(% of ‘frequently’ or ‘sometimes’)


Vulnerabilities around employee behaviors

Use your work computer or cellular device to access confidential

company information41%

Discuss work-related topics in public places 41%

Log into your work computer or cellular device using an unsecured

public network (Wi-Fi)32%

Use your work computer in public settings (e.g., while commuting, on airplanes/trains, at cafes)

31%

Remove paper files with confidential information from the office to do

work at home27%

Use personal computing devices that have not been approved by your

company's IT department to do work at home22%


Require employees

to create strong

passwords

(e.g., set minimum

length, include upper

and lower case

letters, use numbers

and symbols)

Require employees

to change

passwords at least

every three months

Have a disciplinary

policy to enforce

the data protection

policy

Require portable

storage devices

used for company

business to be

encrypted at a

standard set by the

company

Prohibit the use of

portable storage

devices

Policies to enhance cyber security


85%

2017

2019*

95%

76%

2017

2019*

91%

65%

2017

2019*

71%

52%

2017

2019*

73%

46%

2017

2019*

60%

*Includes companies indicating planned for 2018 or considering for 2019.

Which specific policies does your organization have in place or plan to have in the next few years?


Documents

Decoding Cyber Risk...privacy and information security? Note: Centralized = respondents giving a 1 to 3 score; Decentralized = respondents giving a 5 to 7 score; Neutral = respondents