Press Release

87% of firms see untrained staff as greatest cyber risk, according to Willis Towers Watson and ESI ThoughtLab

This is compounded by staff training ranking as one of the weakest progress categories measured against the NIST cybersecurity framework.

October 16, 2018

Arlington, VA/London, October 16, 2018 – The majority of executives (87%) around the world cite untrained staff as the greatest cyber risk to their business according to a new report from “The Cybersecurity Imperative” – a global thought leadership program produced by independent researcher, ESI ThoughtLab in conjunction with Willis Towers Watson and other organizations specialized in cybersecurity and risk management. Compounding this finding is the fact that staff training is ranked among the categories to have made the least progress when measured against the National Institute of Standards and Technology (NIST) cybersecurity framework.

For the Cyber Security Imperative, ESI Thought Lab surveyed 1,300 organizations with revenues ranging from under $1 billion to over $50 billion, across multiple industries spanning APAC, Europe, US/Canada and Latin America.

The research also identified the most common types of attacks to include malware/spyware (81%) and phishing (64%), with external unsophisticated hackers (59%) and cyber criminals (57%) identified as the next biggest external threats. Based on scores relating to progress on the NIST cybersecurity framework, ESI ThoughtLab segmented companies into three stages of cybersecurity maturity: beginners, intermediates and leaders.

The survey found that a company’s threat perception varied based on the firm’s cybersecurity maturity. For example, cybersecurity leaders tend to focus more on “Hacktivists” (52%) and malicious insider threats (40%), whereas cybersecurity beginners spend more time worrying about external threats (42%), such as partners, vendors, and suppliers.

Additionally, the research highlights that when it comes to cyber resiliency, or post-cyber incident processes, cybersecurity leaders invest more in cyber resilience versus their beginner counterparts. As companies become more advanced in cybersecurity, they increase their investment in cybersecurity resilience, with cybersecurity beginners spending 14% of their cyber budget and cyber leaders spending 18% on recovery.

Some other key findings around cybersecurity maturity and investment in cyber risk include:

  • 91 percent of cybersecurity leaders feel their investment is adequate to meet their needs
  • 33 percent of cybersecurity beginners view their investment as adequate to meet their needs
  • 73 percent of companies plan to use behavior analytics as a cybersecurity tool over the next two years
  • 80 percent of companies have at least a small amount of cybersecurity insurance, with healthcare companies averaging one of the highest amounts ($16.4 million) and manufacturing averaging one of the lowest ($8.6 million)

“Leaders in cybersecurity are devoting significant resources towards protecting IT and risk functions within their organizations against external threats, but employee processes and training as well as corporate culture play a more integral role than many realize.” As the report highlights, “The vast majority of cyber incidents result from employee behavior and human error,” says Anthony Dagostino, global head of cyber risk, Willis Towers Watson. “In addition to mitigating cyber threats through technology and risk transfer, cyber managers need to take a step back and assess their organizations cyber defenses within. Cyber managers must adopt a continuous assessment strategy, one that focuses on the overall culture of engagement, talent preparedness and the role of technology and risk transfer.”

The Cybersecurity Imperative highlights the need for ongoing cyber risk assessment across people, processes, and technology. Willis Towers Watson’s integrated and holistic approach offers tools and solutions to help organizations with cyber risk assessment, risk quantification and risk transfer.

For more insights on perceived threats, cybersecurity maturity and investment, the full report may be downloaded here.


Notes to the Editors:

About Willis Towers Watson

Willis Towers Watson (NASDAQ: WLTW) is a leading global advisory, broking and solutions company that helps clients around the world turn risk into a path for growth. With roots dating to 1828, Willis Towers Watson has over 40,000 employees serving more than 140 countries. We design and deliver solutions that manage risk, optimize benefits, cultivate talent, and expand the power of capital to protect and strengthen institutions and individuals. Our unique perspective allows us to see the critical intersections between talent, assets and ideas — the dynamic formula that drives business performance. Together, we unlock potential.

About Willis Towers Watson Cyber

Willis Towers Watson takes a holistic approach to cyber risk management and resiliency, with the understanding that a complete corporate solution addresses and incorporates people, capital, and technology strategies. Our cyber experts have decoded the complexity of the current cyber threat landscape to deliver this integrated perspective to major enterprises across sectors. As a global leader in human capital solutions, risk advisory and broking, we are well prepared to assess an organization's cyber vulnerabilities, providing protection through best-in-class solutions and mitigating the risk of future attacks. Explore comprehensive cybersecurity solutions at willistowerswatson.com/cyber.

About the research team

ESI ThoughtLab: ESI ThoughtLab is the thought leadership arm of Econsult Solutions Inc., a leading economic consultancy. The innovative think tank offers fresh ideas and evidence-based analysis to help business and government leaders understand and respond to economic, industry and technological shifts around the world. Its team of top economists and thought leaders excel at creating valuable decision support that combines visionary thinking, analytical excellence, and multi-format content.

WSJ Pro Cybersecurity: WSJ Pro Cybersecurity is designed to help executives monitor the ever-changing landscape of cybersecurity through a business lens. Our dedicated team delivers unique, actionable insight on the wide-ranging challenges of cybercrime risk.

About the study

This report is based on a global survey of 1,300 organizations across industries and regions, meetings with an advisory panel, in-depth interviews with leading experts, and rigorous benchmarking analysis. The research was conducted in conjunction with a diverse coalition of sponsors, including Protiviti, Baker McKenzie, CyberCube, HP Inc., KnowBe4, Opus, Security Industry Association, and Willis Towers Watson.