Kim Curley
Vice President, Workforce Readiness Consulting, NTT DATA Services
More from this contributorIn July 2020, cybercriminals orchestrated one of the most high-profile hacks of the year. At the start of the pandemic, employees worldwide shifted to remote work models, including staff at Twitter. It was then that cybercriminals impersonated Twitter IT Administrators and persuaded top employees to disclose account credentials. This series of events led to an elaborate crypto scam, including the fraudulent takeover of 130 high-profile accounts, including Barack Obama, Joe Biden and Kanye West. Twitter later released a statement announcing that its own employee tools contributed to the unprecedented hack. The entire ordeal led to a 4% decrease in Twitter’s share price and extensive reputational damage. The criminals didn’t leverage sophisticated technologies, malware or exploits to pull off this hack. Instead, they used social engineering tactics to infiltrate a $37 billion technology company.
We humans are complex, unpredictable, and at times, risky. The Twitter scam demonstrates that although the waves of the pandemic, remote work and highly skilled cybercriminals contribute to increased enterprise risk, one of the most challenging factors to manage is the human side of risk.
Commitment to risk management is a commitment to earning the trust of your teams – and loyalty to your consumers.
To prepare for the next frontier of risk management, leaders must start with a human-centric approach to risk modeling that addresses the intersection of people and risk at scale. Commitment to risk management is a commitment to earning the trust of your teams, developing a corporate culture of risk awareness, and eventually, strengthening the trust and loyalty to your consumers.
The human impact on risk management and compliance
Enterprise risk management (ERM) refers to the methods and processes that organizations use to mitigate risk, including identifying threats, assessing the magnitude of impact, crafting a response strategy, and continuous monitoring. Protecting an enterprise must include three critical areas: governance, risk management and compliance (GRC).
- Governance: Ensuring that all organizational activities are aligned to support overall goals, (IT operations, training, human resources).
- Risk Management: Identifying, assessing, and controlling threats to the business (cybersecurity, legal consequences, natural disasters).
- Compliance: Aligning internal organizational activities with external laws and regulations (legal mandates, environmental laws, privacy).
Addressing the human side of risk is one of the most effective yet undervalued GRC strategies. Employees are especially prone to impacting risk management. All too often employees click links in phishing emails, end up being manipulated to provide access and information during social engineering attacks, use weak passwords, accidentally download malicious hardware, or make errors that cause security incidents. Incredibly, 88% of security breaches result from human error, and 37% of attacks involve emails as the root cause of breaches.
Your organizational governance and risk culture will inform how well your people can protect your business.
Humans not only impact security protection and risk management, but also influence compliance efforts. For example, imagine an IT department employee identifies an outdated software containing gaps that could lead to a breach. In a risk-aware culture, this employee would be celebrated for reporting and remedying this issue. However, in a risk-avoiding culture, this same employee may not understand the significance or choose to overlook the gap due to a lack of clarity around risk management processes. Overall, whether it’s security protection, compliance, or general risk awareness, your organizational governance and risk culture will inform how well your people can protect your business.
Overcoming obstacles and embracing best practices
First, organizations need a clearly-defined risk strategy. Without direction, it’s easy to continue with business-as-usual; but the ultimate goal must be to establish governance and a culture of risk awareness, where key decision-makers define objectives and employees participate in continuous training and consider risk in everything they do.
Often, employees who put organizations at risk are doing so simply by mirroring the corporate approach to risk management.
Many organizations allow pressure for operational cost reductions to limit spending on risk programs, particularly effective training. Leaders at the top may not demonstrate risk awareness or advocate for the importance of risk management. Often, employees who put organizations at risk are doing so simply by mirroring the corporate approach to risk management. Fortunately, there are practical ways organizations can inspire employees to care about risk management and compliance. It starts with leadership.
Leaders need to encourage teams to take threats seriously and abide by best practices. While investment in IT infrastructure, controls and programs driven by a Chief Information Security Officer (CISO) should continue, the human factor remains a considerable risk. Organizations want to trust their teams to mitigate risk, but first, leaders must provide necessary support. We see three actions that organizations can immediately prioritize to make an impact on GRC.
1. Align leaders and create visibility from the top
Starting at the top, Chief People Officers and Chief Learning Officers must form a tighter and more formal link with Chief Risk Officers and CISOs to create alignment for human-centric strategies that integrate the company’s enterprise risk profile into culture, awareness and training.
Leaders educated on specific risks must act as an accountable voice, promoting and communicating the importance of risk management and compliance. Companies must ensure that leadership is the face and voice of risk management, as they lead by example in meetings and everyday behaviors.
2. Build a culture that will drive behavior and action to maintain security across the organization
Culture drives beliefs and actions beyond what the best controls can accomplish. Culture, as it relates to driving behavior, can be an additional line of defense in managing overall risk. Therefore, leaders who wish to foster a risk-aware culture must make the effort to create lasting adoption of the right behaviors.
The first step in creating sustainable culture change is awareness and education. Organizational risk awareness campaigns bring increased visibility to security threats and the associated risks through videos, newsletters, articles and other mediums. Next, leaders must identify and implement policies and procedures that support the right actions, celebrating the risk-aware behaviors, and providing reinforcement for those that run counter to the strategies. Finally, organizations must align performance management processes to the desired outcomes, tailoring them to roles, including data protection and prevention.
3. Deploy formalized, immersive training to build mastery of common threats
Employee awareness and behavior rely on the quality and relevance of organizational communication and training programs. Therefore, organizations must move away from dry, annual slide deck presentations to engaging and realistic training that prepares teams for the modern risk landscape.
To support retention of the training, companies can scale gamification techniques, such as leaderboards, to reinforce desired behaviors and increase participation. Training programs can and should be more engaging and relevant (for example, scenario-based simulations bring awareness to different security threats and how to best respond), and as not all employees have the same risk profile, training should be tailored across different roles and teams.
Personalized risk training deepens lessons and resources in protecting data. In these training sessions, employees may realize the importance of security protection in their lives outside of work, and bring this mindset with them as they enter the workplace. This relatable content can drive engagement as employees learn to make their personal data more secure.
Creating a future-fit, risk-aware culture
The next frontier of risk is all about humans in the workforce. Organizations will recognize the importance of reskilling and upskilling their people to understand and avoid common threats. Global spending on IT and risk management will continue to grow; in 2020, spending grew 6.4% and in 2021, it doubled its growth to 12.4%. Global spending on security awareness and phishing simulation programs alone are predicted to reach $10 billion by 2027.
The future of work and risk will also see increased regulatory oversight. Organizations will embrace incentives and consequences associated with compliance efforts, and feel added pressures to build a robust risk management strategy. Even the external public, including clients, stakeholders, and consumers, will feel a heightened awareness of potential risks and strategies to protect their data and reputations.
Change requires communication, education, behavioral strategies and trust. As a leader, if you want to trust your people to protect your organization, start by proving that they can rely on you.
In the end, sustainable change depends on culture. It’s not enough for organizations to bolster risk management spending or introduce a cutting-edge technology solution and expect people to change accordingly. Change requires communication, education, behavioral strategies and trust. As a leader, if you want to trust your people to protect your organization, start by proving that they can rely on you. Grant your teams the knowledge and tools needed to successfully manage existing and emerging risks.
