As cyber-attacks continue to dominate the headlines, corporate treasurers prove to be prime targets. Given cyber criminals want access to other people’s money, it’s natural that the treasury function makes an obvious target.
The most intuitive cyber risk relating to treasury is the initiation of fraudulent payment through a myriad technical means such as phishing and social engineering attacks. Attackers are becoming ever more sophisticated – after all, it is believed that over 90% of cyber-attacks start with a phishing email, a malicious tactic that is becoming increasingly passable as everyday email. Last year, I found myself the recipient of a phishing email, and decided to initiate a review of cyber risks within Willis Towers Watson treasury. It turned out that my phishing email was not an isolated incident within the company, as my colleagues across finance who are involved with handling insurance premiums and claims also reported similar targeting.
Discussions of cyber risk sometimes focus on managing risk and trying to transfer and mitigate the downside. However, this approach does not properly take account of the root of the cyber problem: human behaviour. As technology has become a driver of business models, cyber risk has grown into a systemic threat to businesses. While critical to protecting the enterprise, technology is only one piece of the solution. Organisations need a fully integrated, comprehensive plan that emphasises people, capital and technology protections to effectively manage cyber risk across the enterprise and ensure resiliency.
As Treasurer of Willis Towers Watson I benefit from the know-how in our organisation, and our own cyber insurance claims data shows two-thirds of incidents are the direct result of employee behaviour – for example, negligence leading to lost devices and malicious and disgruntled insiders seeking to profit from corporate espionage. When analysing the other 33% of incidents, a large portion can ultimately be traced back to additional human factors, such as system errors and inadequate network security practices, all of which still involve human error. It is generally believed that, while the initial focus of managing cyber risk was (or is) on technology, the focus is beginning to shift towards employee behaviour and operating procedures. Our objective at Willis Towers Watson is to drive a culture that creates cyber-smart employees, while also identifying deficiencies in talent and taking steps to remediate these deficiencies. No longer is it solely the job of risk and IT departments to handle cyber risk. Companies need to understand the human element of cyber risk through assessing organisational culture, employee engagement and identifying talent and educational gaps to protect against cyber threats.