While organizations understandably make significant investments in technology to defend against external cyber threats, their biggest security vulnerability is internal and hiding in plain sight: their employees.

Willis Towers Watson’s cyber insurance claims data show that two thirds of cyber breaches are caused or enabled by employee negligence or malfeasance, including losing laptops, the accidental disclosure of information or actions of rogue employees. By contrast, only 18% are directly driven by an external threat.

Employees can be the strongest asset in an organization’s cyber security strategy. However, it takes more than technology solutions to turn them into your first line of defence against cyber threats.

This recognition is prompting a growing number of organizations to examine their internal culture and its role in encouraging behaviour that can lessen their vulnerability to cyber risk. Over 80% of organizations participating in the 2017 Willis Tower Watson Cyber Risk Survey indicated that they want to have cyber risk management embedded in their company culture within the next three years. But how will they get there when much of an organization’s risk culture lies beneath the surface?

The following steps can help organizations build a strong, cyber-savvy culture:

1) Assess your internal risk culture

To build a risk-averse culture, organizations must be able to measure the risk inherent in employee behaviour. Perhaps the most useful and least obvious assessment tool is a cyber risk culture survey – an employee survey that assesses an individual’s sense of responsibility and accountability for cyber security.

By having employees answer questions related to their awareness of cyber risks and their behaviour in response to threats (e.g. does an individual send important or confidential information by email using password protection?), an employer can develop a profile of the groups most in need of attention.

This type of assessment can also help reveal how well an organization and its leaders support a cyber risk culture. For example, the survey can measure employee perception of cyber risk training across key functional areas.

In addition, with the right capabilities and data, organizations can compare their outcomes to those of industry peers and high performers globally.

The resulting insights will help senior leaders target high-risk segments and develop plans to bridge gaps in cyber risk education as well as overall organizational support for cybersecurity.

2) Prioritise targeted training

Because employees will have different levels of awareness and knowledge of cyber risk, it is essential to tailor ongoing training initiatives to different employee groups.

Training components can include training delivered online or in person by an instructor, self-paced learning and “learning-by-doing” approaches – think simulations where employees have to respond to cyber threats such as phishing schemes.

The benefits of comprehensive training are clear: 77% of employees believe it increases their sense of personal responsibility for data security at work, according to the 2017 Willis Tower Watson Cyber Risk Survey.

3) Rethink your skills strategies

Given the information security skills shortages in many economies and evolving talent requirements, it is essential to assess skills gaps at regular intervals and determine how to best fill those gaps – either by hiring new talent or upgrading the skills of existing employees. An ongoing opportunity to learn new skills also gives high-value employees a reason to stay with their organization.

Given the information security skills shortages in many economies and evolving talent requirements, it is essential to assess skills gaps at regular intervals and determine how to best fill those gaps – either by hiring new talent or upgrading the skills of existing employees. An ongoing opportunity to learn new skills also gives high-value employees a reason to stay with their organization.

As information security plays an increasingly critical role in the organization, new talent challenges arise. For example, in some organizations, information security is “co-led” with the business. This shift creates a need for hybrid roles in cybersecurity requiring business acumen as well as technical skills. Keeping up with these changing roles can provide a competitive edge.

Cyber threats show no sign of easing any time soon. By assessing the threat, providing ongoing opportunities to learn, and developing forward-looking talent strategies, organizations can create a strong, cyber-smart culture to protect against cyber breaches.