Why technology is not enough to fend off a cyber attack

  • Chami Akmeemana
  •  Guy Pearce
Closeup of the word security on a screen.


Fending off cyber attacks needs more than the best anti-virus technology — it also demands a shift in culture.

Our research shows that while smart technology may be necessary to keep malware, viruses and other forms of electronic intrusion at bay, it is not sufficient. Rather, the weakest link often turns out to be people who are either careless or not properly trained in cyber-security processes.

For example, ransomware (which encrypts files and then demands payment before restoring the data), is usually introduced into an organization’s computer system when an unsuspecting employee clicks on a link embedded in an email that is thought to be legitimate. Earlier this year, the US Federal Financial Institutions Examination Council (FFIEC) warned banks about a continued sharp rise in cyber-attacks using this type of malware.

User error, loss of equipment, insider sabotage, spam and phishing….these are all examples of how even the best software cannot protect a company or government department if its employees fail to stick to the rules. The role of human beings in cyber risk is so significant that PwC, a leading consultancy, once cautioned that “employees are the most-cited culprits of incidents.”

It is true that technology can mitigate the risk of human error through the use of warning signals, passwords, and other security devices. Even so, any chief executive who assigns total responsibility for managing cyber security to the technology or IT department is taking a big risk.

So how can we address the risk posed by careless, badly-trained or malevolent people?

First and foremost, develop and instill a strong risk culture in your organization.

The Financial Stability Board (FSB), a body that monitors and makes recommendations about the global financial system, says that a shared understanding of an organization’s risk culture is “crucial” so that everyone knows what behaviour is expected of them.

“Deloitte, another big consultancy, believes that “cyber-security leaders … want to instill a ‘cyber-security culture’ in their organizations.”

In other words, developing and integrating an appropriate risk culture should be an important corporate governance goal, not just for senior executives but also the board of directors. It’s vital to set the tone right at the top.

According to the FSB, a strong risk culture begins with a senior leadership team that is transparent and open to criticism, that has documented all risk management responsibilities, and that encourages desired behaviour. The culture they instill then guides the behaviour of colleagues throughout the organization so that it becomes second nature for everyone to act in ways that help mitigate cyber-risk.

At the Global Risk Institute, we believe this requires the establishment of a robust governance structure that sits atop the many silos of a large organization. Among other things, this structure should include a cyber security orientation program for new hires (including board members), an internal control framework, an annual testing and certification process for employees, and an incident reporting system.

It should also involve constant attention to the policies, procedures, standards and guidelines demanded by an effective cyber-risk strategy, in other words, obeying the rules. But it also means more than that. Senior executives must set an example through their own behaviour. Key cyber-security messages must be constantly repeated. And there must be a way of measuring implementation of the rules so that weak spots can be quickly identified.

The human resources department can—and should—play a key role.”

HR should partner with senior management and the board to identify the drivers of people risk, and then draw up a plan to correct shortcomings. That plan should be cemented into the corporate culture through a company-wide transformation program. Some organizations see this as a training activity. However, a coordinated response to one of the biggest risks that a business faces needs to have a higher priority than, say, a one or two-hour training course.

Developing a risk culture can be costly and time-consuming. But the effort is sure to be worthwhile. An effective risk culture can boost productivity, and thus have a positive impact on earnings, and on the value of the organization. It’s not hard to imagine that a tightly integrated risk management strategy could become self-funding as the potential benefits start to match the costs.
As the new cyber risk culture takes hold, every person in the organization, no matter what their job, becomes a line of defence, not only against cyber attack but against business risk in general. That benefit alone is a commanding reason to develop and integrate a risk culture into your organization.

The bottom line is that cyber risk management is much more than an IT issue. Senior management and the board have a duty to inculcate risk culture into the organization so that everyone works as a team to fend off cyber and other risks.

Technology is, of course, a critical enabler of that strategy, but it is not a strategy on its own. Any company that believes it can put its faith in technology alone should steel itself for the worst.

As published in the American Banker July 2016


Chami Akmeemana is Managing Director of Global Markets at the Global Risk Institute.

Guy Pearce serves on the Board of the International Institute of Business Analysis and is a consultant specializing in strategy, risk, data and technology.