Businesses should focus more on employees and company culture as they manage their cyber risks before they get too bogged down in the technology, Willis Towers Watson says.

While that technology is a fundamental part of cyber protection, often ‘people risks' are ignored.

Those people risks include employee negligence and deliberate malicious acts, which in total represent 66% of cyber breaches, while only 18% were from an external threat and cyber extortion accounts for 2%, according to company data.

The company's head of global Cyber Risk Anthony Dagostino says that organisations are focusing too much on technology and might miss the bigger picture.

“While technology has an important role to play, it really needs to be linked with an understanding of the human element. The simple truth is that a data compromise is more likely to come from an employee leaving a laptop on the train than from a malicious criminal hack. We believe employees and companies with a strong culture and cyber aware workforce are the first line of defense against cyber risk,” he says.

When the company analysed those findings, it decided to launch a Cyber Risk Culture Survey solution, which connects human capital and workplace culture to cybersecurity vigilance and risk. It also enables tracking risk in employee behaviours, eventually building a ‘cyber smart' workforce.

“When we talk to clients about cyber risk, they tell us bridging their operational silos is one of the biggest hurdles within their organizations,” adds Patrick Kulesa, director of Employee Survey Research at Willis Towers Watson.

The results from the solution can show an organisation's internal risk culture, focusing on where it may be vulnerable to human-based cyber incidents. Managers can then use these insights to form solutions such as culture changes, reward schemes and other interventions to mitigate the risk.