Communication key to reducing cyber risk

Communication key to reducing cyber risk | Insurance Business

Communication key to reducing cyber risk

The majority of business owners now appreciate the importance of strong cyber security - but a lack of communication across hierarchical levels could be putting organisations at serious risk.

According to a recent survey from research and ratings firm Clutch, 52% of employees reported their organisation has a cybersecurity policy but only 47% said it was formally acknowledged.

This means some employees know their company has a policy but their employer has not officially introduced it nor offered any guidance on compliance.

Randy Battat, CEO of encryption firm PreVeil, says it’s not uncommon to see a lack of communication between different levels of an organisation.

“Often, formal cybersecurity policies that are at the board or C-level may not necessarily be propagated to every single employee,” he said.

The study also found a worrying policy gap in relation to personal devices – while the majority of employees (64%) use a company-approved device for work purposes, only 40% are subject to regulations regarding its use.

While using a personal device isn’t inherently dangerous, Battat said it’s the widespread unawareness from employees that actually poses security risks.

“We’ve seen that at many companies - employees believe that information that needs to be protected is special, sensitive stuff that’s explicitly marked, and most of the everyday communications they receive and send aren’t a risk for their organizations,” he said.  “The reality is that the majority of communications, and the majority of an organisation’s intellectual capital, can be found in the ‘ordinary’ email or shared file.”

In the modern workforce, he explained, activities such as accessing emails and shared documents on a personal device are so normalised that employees lose sight of their potential security risk.

Companies can reduce risk if they train their employees about what information is sensitive to their organisation and how to securely access it, he added.

However, the study did find that more employees had experienced security incidents (60%) than had experienced policy training (59%) which indicates that staff have the ability to recognise threats even without formal education.

 

Related stories:
Are firms failing to learn from cyber mistakes?
Willis Towers Watson scoops cyber award