The Cybersecurity and Culture Connection

The cyber risk realm is one that’s generally inhabited by those in the IT department.

New research from Willis Towers Watson, however, looks at the role human resources can play in helping the organization wrestle with cybersecurity-related issues, and what HR can do to help in the event of an actual cyber breach.

The London-based consultancy recently analyzed employee survey results from 12 organizations, examining engagement attitudes and opinions from more than 450,000 workers corresponding to a period in which significant data breaches were identified within the firms.

Employees’ responses were benchmarked against global high-performance companies and global IT staff from Willis Towers Watson’s database of employee opinion survey data. Overall, employee opinions within the organizations experiencing data breaches didn’t stack up favorably, with scores ranking the lowest in three aspects of company culture—training, company image and customer focus.

For example, fewer workers at firms that have recently encountered a data breach feel they have received adequate training for the work they do and have access to training to improve their skills and learn new ones to advance in their roles, while smaller numbers of employees at these companies feel their employers treat corporate social responsibility and customer focus as top priorities.

The lower scores emerging from organizations affected by a data breach were “expected,” according to Willis Towers Watson, but HR leaders “can use a number of tools at [their] disposal to help create a culture conducive to effective cyber risk management,” says Patrick Kulesa, global research director.

For example, he recommends stressing in training programs “the importance of customer information and the role that every employee plays in safeguarding details about customers—especially when training new hires generally and all hires in IT,” and suggests considering making such training programs an annual requirement for all employees, “to keep skills fresh.”

Kulesa also urges HR leaders to advocate providing or sponsoring continuing education programs on new developments in technology that impact the business.

With respect to consumer focus, “provide employees an opportunity to raise concerns about poor customer service, through employee surveys or other appropriate avenues,” he says, adding that leaders and managers should be evaluated on “how well they reinforce the value of customer service and reflect the image of the company through their actions.”

Ideally, such actions will help mitigate the organization’s risk of experiencing a cyber breach. But HR can also be integral in the recovery effort should one occur, says Kulesa.

“Help the businesses impacted to get out in front of the event through clear communications to employees, or through assisting leaders in crafting and delivering such messages,” he says.

In addition, “describe the steps already in place to encourage an effective culture—competencies for leaders, training for staff, avenues to raise concerns,” says Kalesa, adding that HR must also “be clear about steps being taken to improve risk management and the role each employee can play in that process.”

And, most importantly, “focus on continuing improvement,” he says, “not assigning blame.”