The figures are in for the total estimated business losses in 2017 resulting from cyber attacks, and they paint an ominous picture of the future of business in the cyber threat landscape. Willis Towers Watson estimates over $4 billion in financial and economic losses across 150 countries from the 2017 cyber attacks like WannaCry, NotPetya and others. Some industries, such as consumer goods, pharmaceutical, and shipping/logistics, lost upwards of $600 million each in 2017 due to systems outages, disruptions in production and operations and malware’s impact on sales.
These hard numbers have pushed companies into action as many boards and executives are looking at ways they can prevent and overcome future attacks. In a recent Willis Towers Watson survey, we found that 96 percent of board members think they don’t spend enough on cyber overall. By 2021, the global cyber spend on IT security technology is expected to grow to $113 billion (up from $75 billion in 2016). While boards are making significant technology investments, they are still stagnant on addressing their cyber risk from their human capital.
Raising Cyber IQ
Cyber threat exposure through corporate employees poses one of the biggest unanswered threats to the organization. A whopping 58 percent of cyber breaches in 2017 can be attributed to human capital error through employee negligence or malfeasance. However, while corporate spending on cyber technology is projected to massively increase in the coming years, investment in human capital cyber solutions remains low, only anticipated to grow from $1.4 billion in 2016 to $2.3 billion in 2021.
“…We found that 96 percent of board members think they don’t spend enough on cyber overall.”
It’s important for boards and corporate leaders to recognize the incongruency between the corporate cyber spend and the high level of cyber risk they face from their human capital. A company can only get so far in its cyber risk mitigation through a focus on technology alone. Technology will inevitably evolve, with new threats emerging and old vulnerabilities being identified with startling regularity. However, a workforce with a high cyber-IQ can serve as a foundation for cyber risk management across an organization. While the development of such a workforce is a significant undertaking, it is an important one, and one that is vital toward future cyber risk protection.
One of the common factors of organizations that suffer major data breaches is an inability to create an ongoing learning environment that encourages employees to keep up with relevant business trends. This includes the latest threat landscape and being current on the tactics being used by malicious actors to penetrate corporate cyber defense, as well as understanding how to circumvent them. Willis Towers Watson has found that over the past 12 months, nearly 50 percent of employees have spent less than 30 minutes in cybersecurity training. It’s no wonder that less than 50 percent also claim to not have a “cyber smart workforce.”
Boards must understand this through line and commit resources to the development of a cyber development program that not only encompasses training but ongoing education of employees. Cyber readiness and aptitude needs to be integrated into the corporate culture. The development of such a culture will also increase cooperation across cyber defense and IT teams, ultimately improving cyber risk mitigation.
As these programs and resulting skills become more prevalent, the prevalence will follow in the talent market, as more employees across industries build cyber proficiency and evolve into hybrid job roles that involve cyber.
Companies are on board with investing in organizational cyber defenses but still need guidance in how they spend it. As the corporate cyber threat landscape evolves, the corporate workforce must evolve with it.