In the Crosshairs of Hackers: the Human Element in Cyber Risk

As cyber-attacks continue to dominate the headlines, corporate treasurers prove to be prime targets. Given cyber criminals want access to other people’s money, it’s natural that the treasury function makes an obvious target.

The most intuitive cyber risk relating to treasury is the initiation of fraudulent payment through a myriad technical means such as phishing and social engineering attacks. Attackers are becoming ever more sophisticated - after all, it is believed that over 90% of cyber-attacks start with a phishing email, a malicious tactic that is becoming increasingly passable as everyday email. Last year, I found myself the recipient of a phishing email, and decided to initiate a review of cyber risks within Willis Towers Watson treasury. It turned out that my phishing email was not an isolated incident within the company, as my colleagues across finance who are involved with handling insurance premiums and claims also reported similar targeting. 

Discussions of cyber risk sometimes focus on managing risk and trying to transfer and mitigate the downside. However, this approach does not properly take account of the root of the cyber problem: human behaviour. As technology has become a driver of business models, cyber risk has grown into a systemic threat to businesses. While critical to protecting the enterprise, technology is only one piece of the solution. Organisations need a fully integrated, comprehensive plan that emphasises people, capital and technology protections to effectively manage cyber risk across the enterprise and ensure resiliency. 

As Treasurer of Willis Towers Watson I benefit from the know-how in our organisation, and our own cyber insurance claims data shows two-thirds of incidents are the direct result of employee behaviour – for example, negligence leading to lost devices and malicious and disgruntled insiders seeking to profit from corporate espionage. When analysing the other 33% of incidents, a large portion can ultimately be traced back to additional human factors, such as system errors and inadequate network security practices, all of which still involve human error. It is generally believed that, while the initial focus of managing cyber risk was (or is) on technology, the focus is beginning to shift towards employee behaviour and operating procedures. Our objective at Willis Towers Watson is to drive a culture that creates cyber-smart employees, while also identifying deficiencies in talent and taking steps to remediate these deficiencies. No longer is it solely the job of risk and IT departments to handle cyber risk. Companies need to understand the human element of cyber risk through assessing organisational culture, employee engagement and identifying talent and educational gaps to protect against cyber threats. 

The starting point is people: Our own research shows that, whilst employers are more likely to perceive data privacy as a threat, employees are often less sensitive. At Willis Towers Watson, key staff undergo training on how to spot attacks aimed at them, including how to spot phishing emails, as well as to understand what tactics are used by cyber fraudsters. Such education has become a regular feature for our employees. Policies regarding user access, encryption of devices and password management were reviewed, reiterated and updated. One colleague later commented on another phishing email by saying that “they need to do better than this.” 

We also are looking once again at systems, but I do not believe that IT solutions can be adopted and implemented in a vacuum. Again, research suggests that employees may be prone to relying on IT to take care of the matter. It is critical for people and technology to have a symbiotic relationship to ensure cyber risk strategy is connected to the business and not simply a superficial wall surrounding an organisation. Much can be achieved at the intersection of people and technology, which is the management of user access, especially to electronic banking systems. Very few banking transactions nowadays do not go through electronic portals, which put electronic banking into focus. Are we sure that all employees who have left the firm had their access to electronic banking platforms removed? Do we pay enough attention to those minor electronic banking platforms which we intend to phase out but are still active? Do we effectively track security tokens giving access to electronic banking systems? 

Fig 1

Fig 2

Fig 3

Centralising security management

Willis Towers Watson decided to centralise the security management for electronic banking platforms, and put the experts in IT in charge. It is preferable to have a small team of IT experts controlling electronic banking system access, as opposed to managing electronic banking security on a business level. In our chosen structure, a small team of professionals is becoming very familiar with the various electronic banking platforms they support. They act on requests from the business in a more effective way than local managers who typically deal with electronic banking security rather infrequently. A relatively small, dedicated team is best placed to establish governance effectively, without being perceived as unduly bureaucratic. Having our electronic banking security managed centrally enables us to regularly monitor access, including periodic reviews of active users. I feel that centralising the management of electronic banking user security helped to standardise the process, to offer better insight and overview of who can access our bank accounts – and enables us to deal with any attempted cyber-attack incidents quicker and with the benefit of faster information. 

Central management of user access naturally moves towards rationalisation of electronic banking platforms, and more generally, the number of bank accounts and banks themselves. The fewer EB system installations, the more efficient the work of the central IT team. Every electronic banking platform is a potential access point for a cyber-attack, so by reducing the number of electronic banking portals, we also reduce the number of gateways for a fraudster. 

Similarly, the way we process banking transactions is less vulnerable if fewer external counterparties, and fewer connection points are used. We prefer using standardised SWIFT-connectivity, as opposed to bilateral, host-to-host connections to banks. Every connection is a potential entrance for a cyber-attack, and every bilateral bank interface we phase out is another closed door for fraud. 

Finally, we evaluated what element of cyber risk we would transfer out by way of insurance. Once again I benefited from the know-how available in Willis Towers Watson and found a solution that fits our organisation. No two companies are the same and I believe that in the case of cyber insurance, the decision on what to insure and what to retain requires an in-depth review of every case individually.