In such turbulent times, with a global pandemic and the drive towards the digital world, dependence on cyber safety and consumer trust only becomes increasingly important. Technology continues to develop in complexity, as do our methods to mediate it, but it’s imperative that we don’t forget the human side of risk, too.
16 June 2022 • 5 min read
In July 2020, cybercriminals orchestrated one of the most high-profile hacks of the year. At the start of the pandemic, employees worldwide shifted to remote work models, including staff at Twitter. It was then that cybercriminals impersonated Twitter IT Administrators and persuaded top employees to disclose account credentials. This series of events led to an elaborate crypto scam, including the fraudulent takeover of 130 high-profile accounts, including Barack Obama, Joe Biden and Kanye West. Twitter later released a statement announcing that its own employee tools contributed to the unprecedented hack. The entire ordeal led to a 4% decrease in Twitter’s share price and extensive reputational damage. The criminals didn’t leverage sophisticated technologies, malware or exploits to pull off this hack. Instead, they used social engineering tactics to infiltrate a $37 billion technology company.
We humans are complex, unpredictable, and at times, risky. The Twitter scam demonstrates that although the waves of the pandemic, remote work and highly skilled cybercriminals contribute to increased enterprise risk, one of the most challenging factors to manage is the human side of risk.
Commitment to risk management is a commitment to earning the trust of your teams – and loyalty to your consumers.
To prepare for the next frontier of risk management, leaders must start with a human-centric approach to risk modeling that addresses the intersection of people and risk at scale. Commitment to risk management is a commitment to earning the trust of your teams, developing a corporate culture of risk awareness, and eventually, strengthening the trust and loyalty to your consumers.
Enterprise risk management (ERM) refers to the methods and processes that organizations use to mitigate risk, including identifying threats, assessing the magnitude of impact, crafting a response strategy, and continuous monitoring. Protecting an enterprise must include three critical areas: governance, risk management and compliance (GRC).
Addressing the human side of risk is one of the most effective yet undervalued GRC strategies. Employees are especially prone to impacting risk management. All too often employees click links in phishing emails, end up being manipulated to provide access and information during social engineering attacks, use weak passwords, accidentally download malicious hardware, or make errors that cause security incidents. Incredibly, 88% of security breaches result from human error, and 37% of attacks involve emails as the root cause of breaches.
Your organizational governance and risk culture will inform how well your people can protect your business.
Humans not only impact security protection and risk management, but also influence compliance efforts. For example, imagine an IT department employee identifies an outdated software containing gaps that could lead to a breach. In a risk-aware culture, this employee would be celebrated for reporting and remedying this issue. However, in a risk-avoiding culture, this same employee may not understand the significance or choose to overlook the gap due to a lack of clarity around risk management processes. Overall, whether it’s security protection, compliance, or general risk awareness, your organizational governance and risk culture will inform how well your people can protect your business.
First, organizations need a clearly-defined risk strategy. Without direction, it’s easy to continue with business-as-usual; but the ultimate goal must be to establish governance and a culture of risk awareness, where key decision-makers define objectives and employees participate in continuous training and consider risk in everything they do.
Often, employees who put organizations at risk are doing so simply by mirroring the corporate approach to risk management.
Many organizations allow pressure for operational cost reductions to limit spending on risk programs, particularly effective training. Leaders at the top may not demonstrate risk awareness or advocate for the importance of risk management. Often, employees who put organizations at risk are doing so simply by mirroring the corporate approach to risk management. Fortunately, there are practical ways organizations can inspire employees to care about risk management and compliance. It starts with leadership.
Leaders need to encourage teams to take threats seriously and abide by best practices. While investment in IT infrastructure, controls and programs driven by a Chief Information Security Officer (CISO) should continue, the human factor remains a considerable risk. Organizations want to trust their teams to mitigate risk, but first, leaders must provide necessary support. We see three actions that organizations can immediately prioritize to make an impact on GRC.
1. Align leaders and create visibility from the top
Starting at the top, Chief People Officers and Chief Learning Officers must form a tighter and more formal link with Chief Risk Officers and CISOs to create alignment for human-centric strategies that integrate the company’s enterprise risk profile into culture, awareness and training.
Leaders educated on specific risks must act as an accountable voice, promoting and communicating the importance of risk management and compliance. Companies must ensure that leadership is the face and voice of risk management, as they lead by example in meetings and everyday behaviors.
2. Build a culture that will drive behavior and action to maintain security across the organization
Culture drives beliefs and actions beyond what the best controls can accomplish. Culture, as it relates to driving behavior, can be an additional line of defense in managing overall risk. Therefore, leaders who wish to foster a risk-aware culture must make the effort to create lasting adoption of the right behaviors.
The first step in creating sustainable culture change is awareness and education. Organizational risk awareness campaigns bring increased visibility to security threats and the associated risks through videos, newsletters, articles and other mediums. Next, leaders must identify and implement policies and procedures that support the right actions, celebrating the risk-aware behaviors, and providing reinforcement for those that run counter to the strategies. Finally, organizations must align performance management processes to the desired outcomes, tailoring them to roles, including data protection and prevention.
3. Deploy formalized, immersive training to build mastery of common threats
Employee awareness and behavior rely on the quality and relevance of organizational communication and training programs. Therefore, organizations must move away from dry, annual slide deck presentations to engaging and realistic training that prepares teams for the modern risk landscape.
To support retention of the training, companies can scale gamification techniques, such as leaderboards, to reinforce desired behaviors and increase participation. Training programs can and should be more engaging and relevant (for example, scenario-based simulations bring awareness to different security threats and how to best respond), and as not all employees have the same risk profile, training should be tailored across different roles and teams.
Personalized risk training deepens lessons and resources in protecting data. In these training sessions, employees may realize the importance of security protection in their lives outside of work, and bring this mindset with them as they enter the workplace. This relatable content can drive engagement as employees learn to make their personal data more secure.
The next frontier of risk is all about humans in the workforce. Organizations will recognize the importance of reskilling and upskilling their people to understand and avoid common threats. Global spending on IT and risk management will continue to grow; in 2020, spending grew 6.4% and in 2021, it doubled its growth to 12.4%. Global spending on security awareness and phishing simulation programs alone are predicted to reach $10 billion by 2027.
The future of work and risk will also see increased regulatory oversight. Organizations will embrace incentives and consequences associated with compliance efforts, and feel added pressures to build a robust risk management strategy. Even the external public, including clients, stakeholders, and consumers, will feel a heightened awareness of potential risks and strategies to protect their data and reputations.
Change requires communication, education, behavioral strategies and trust. As a leader, if you want to trust your people to protect your organization, start by proving that they can rely on you.
In the end, sustainable change depends on culture. It’s not enough for organizations to bolster risk management spending or introduce a cutting-edge technology solution and expect people to change accordingly. Change requires communication, education, behavioral strategies and trust. As a leader, if you want to trust your people to protect your organization, start by proving that they can rely on you. Grant your teams the knowledge and tools needed to successfully manage existing and emerging risks.
Discover more inTrust
Remember when people thought the internet wouldn’t catch on? Forward-looking people and organisations quickly adopted networked technologies, understanding the possibilities they offered. The same is true of blockchain – and just like the internet, blockchain is all about finding the patterns and acting early.
01 February 2022 • 5min read
On the back of the biggest ever global economic shutdown, organizations embraced empathy and trust as the newest workplace traits. As we begin to experience some semblance of normalcy, there is a window of opportunity to leverage this rediscovered state of ‘humanized connection’ for customer-led empathy to improve people and business performance.
20 June 2022 • 4min read
Businesses strive to create new technologies, products and services that reshape or even disrupt their markets. Yet businesses also need to understand they must innovate sustainably and ethically. With pressure to innovate quickly - bias, ethics and discrimination can easily be forgotten.
01 February 2021 • 5min read
Trust can take years for organizations to build with customers and employees, but only moments to break. How can businesses secure and build trust that can stand the test of time in a turbulent period of economic shakiness, political unrest and a global pandemic?
20 June 2022 • 4min read
Obtaining data can open up a whole wealth of business opportunities, as long as the data is valid and trustworthy. However, having incorrect, outdated or inaccurately sampled data can be damaging and costly. In such turbulent times, how can we secure data integrity for the best outcomes for businesses?
13 June 2022 • 6min read
As businesses continue to evolve their use of automation, what does this mean for leadership? AI and machine learning promise massive efficiency gains, but at what cost? Effective leadership in today's agile businesses means connecting on an emotional level with each employee. An algorithm will never replace an empathetic leader.
01 October 2020 • 4min read
By treating staff as customers, letting go of perfectionism and ensuring teams are both empowered and encouraged to make decisions, leaders are giving their organisations the best chance of success amidst this time of great uncertainty. When people feel part of the change, as opposed to subject to it, the true benefits of agility can be realised.
01 June 2021 • 3min read
Inclusive leadership is more critical than ever as we continue to navigate through the Covid-19 pandemic. Leaders are working to maintain productivity, collaboration, and innovation during these challenging times. Those who can also address amplified issues around inclusion and belonging in a distributed workforce will be primed for superior organisational performance in the future.
01 February 2022 • 4min read
The zero trust journey is all about taking measures to assure your business security at every level. While it sounds complex, it is more simple than it seems, and is worth every effort to ensure that access to data is only granted to those who have sufficiently proved their identity at every stage necessary.
13 June 2022 • 4min read
Businesses must continue to navigate the evolving relationship between employers and employees to ensure a happier and productive workforce. Setting clear expectations and empathizing with individual motivations and priorities encourages transparency, and helps to build a trusting culture in the organization.
16 June 2022 • 5min read
As our digital abilities become increasingly sophisticated, our cybersecurity measures develop at the same pace that a cybercriminal’s savviness also can. Businesses must continue to take the right measures to protect their futures with the developments of remote access and other digitization efforts.
22 June 2022 • 5min read
Whatever the trigger, significant technological and other business changes should never damage your customers’ trust in you. This means keeping their personal data safe. In fact, done well, data protection ought to increase confidence in your business. How to get there? It starts, as with many things, with a detailed understanding of the challenges and strong governance around the solutions.
20 June 2022 • 4min read
In a world where skepticism and misinformation have now become the default, trust has become the new currency for business. And those companies that know how to spend it well can create a competitive advantage by making sure that their actions speak louder than words.
20 June 2022 • 7min read
The past ten years have seen the evolution of expectations, from what customers expect from brands and what employees expect from employers, to what the organisation expects from itself, its own culture and reputation. Combined, these expectations define the concept of the Total Experience (TX) – a concept that’s reshaping corporate strategy, interaction and engagement.
01 February 2022 • 4min read
It’s the next big thing in understanding and engaging customers: building a virtual replica of the business ecosystem, and leveraging ontologies as enabling technology. This exciting branch of AI can help businesses to generate very targeted insights into their customers’ expectations and needs.
16 June 2022 • 4min read
We are facing a continuing erosion of trust in the institutions of capitalism, globalization and democracy. But with a focus on regeneration, instead of just responsibility and resilience, businesses can plot a course through this period of disruption and systemic change.
20 June 2022 • 4min read
Zero trust is a necessary evolution for businesses to be cyber secure in our digital modern landscape. To eliminate cyber risk and threats, businesses can implement a zero trust approach to protect data and systems every step of the way.
20 June 2022 • 3min read