Cybersecurity, data privacy top ‘people-related’ risks: Report

Cybersecurity and data privacy are now ranked as the top ‘people-related’ risks by companies in Asia, followed by pandemics and related risks, as well as risks posed by the changing nature of work, reveals a new report by Mercer Marsh Benefits (MMB), research and advisory wing of US-based professional services firm Marsh. 

The research firm surveyed over 2,500 human resources and risk professionals in 25 countries globally and includes data from over 600 respondents from Asia. In its finding, the MMB report showed that cybersecurity and data privacy is a top risk in India too based on severity and intensity.

However, the report noted, only 57% of organisations in India say they have mitigation measures in place regarding cybersecurity policies, controls and support systems (such as multi-factor authentication, training, vendor management and/or data encryption). While this figure is low, it is significantly higher than found globally (44%) or across Asia as a whole (48%). 

The last two years have been very challenging across the globe, due to the pandemic, resulting in increased digitisation and acceleration of cybersecurity and data privacy, said Prawal Kalita, Managing Director, MMB.

The silver lining is that respondents in India have higher awareness of risks in areas include health and safety, governance and financial, accelerated digitisation, talent practices, as well as environmental and social, compare with their global and Asia counterparts said the report. 

Joan Collar, Asia and Pacific Regional Leader, MMB, added that 95% of cybersecurity issues are due to human error, so reskilling and upskilling need to be prioritised to ensure employees are keeping up with the technological development and changing world of work. “A large part of human error can be attributed to employee burnout and fatigue due to ongoing pressure and anxiety caused by the pandemic, as well as antiquated systems and lack of proper cyber training,” he added. 

The report also noted the changing nature of work has come to sharp focus along with the pandemic. New business challenges with regards to workforce management, inequities associated with flexible working, as well as technology adoption and growth mindset can be potential sources of risk. 

Against this backdrop, however, only 52% of respondents stated that they have effective policies and support systems in place to enable remote, hybrid or other flexible ways of working and have effective competitive employee value proposition which includes reward practices (54%), it said.

Not just the MMB study, a June 2022 report by security research and education and training organisation SANS Institute too noted that human risk remains the biggest threat to an organisation’s cybersecurity, with an unprecedented number of employees now working in hybrid or fully remote environments.

The study that analysed data of over 1,000 security professionals globally showed that more than 69% of CISOs or security professionals are spending less than half their time on security awareness, and often assign responsibilities to staff with technical backgrounds who may lack the skills needed to effectively engage their workforce in simple-to-understand terms.

“People have become the primary attack vector for cyber-attackers around the world,” said Lance Spitzner, SANS Security Awareness Director and co-author of the report. He added that “awareness programs enable security teams to effectively manage their human risk by changing how people think about cybersecurity and help them exhibit secure behaviours, from the Board of Directors to the line staff”. 

Kalita of MMB report also said that the need of the hour is to leverage “scalable and secured technology solutions that support higher employee engagement with highest standards of data privacy and security norms.”