Culture Influences Data Breach Risk, Research Says

Bloomberg Law for HR Professionals is a complete, one-stop resource, continuously updated, providing HR professionals with fast answers to a wide range of domestic and international human resources...

By Genevieve Douglas

May 25 — Corporate cultures that don't prioritize employee training, company image or customer service could be open to greater risk of a data breach, according to new research from Willis Towers Watson.

The human element is a great risk factor in data security breaches, and often the corporate culture that surrounds employees influences their commitment to protecting the company's data and security, Adeola Adele, employment practices liability product and cyber-thought-leader of Willis Towers Watson’s FINEX North America practice, told Bloomberg BNA May 23.

It's important to understand the human element in order to start addressing the risk of a cyber breach more effectively, Adele said.

Willis Towers Watson studied reports of actual breach events and the corresponding surveys employees had completed at or before the time of the breach event, Patrick Kulesa, global research director of Willis Towers Watson’s Research and Innovation Center, told Bloomberg BNA May 23. The advisory firm analyzed employee survey results from more than 450,000 employees at 12 organizations.

This research revealed common places where employees are struggling in following protocol and practices regarding information and data security, Kulesa said. Specifically, workers in companies that had a data breach had less favorable views of training, especially for new employees; they also indicated a widespread lack of customer focus at the employer.

Preventing a Cyber Attack

Adele and Kulesa recommended employers adopt a number of prevention strategies:

  •  Focus on an enterprisewide approach to setting cyber-strategy, with collaboration across corporate functions including IT, HR, legal, operations and finance.
  •  Invest in making the workforce cyber-smart through comprehensive training and a combination of rewards and disincentives to encourage a culture supportive of cyber security.
  •  Consider technology as only one of several lines of defense. While technological defenses are critical, they are not a sufficient response on their own.


According to Roland Hung, an associate in the litigation group for McCarthy Tetrault in Calgary, Canada, many employers may not be able to avoid a breach entirely, but there are steps they can take to limit the extent of the damage. Organizations should only collect or retain enough information or data needed to reasonably address a project or task, Hung told Bloomberg BNA.

Additionally, if an employer uses a third-party vendor for data collection and storing, there should be a contract in place that requires the vendor to notify the organization of a breach or a suspected breach, he said. Companies also should make sure that their data retention and destruction policies comply with federal regulations, Hung added.

Protocols Also Needed for Insider Attacks

While in many instances data breaches result from simple employee error, employers too often discount threats from workers seeking to deliberately cause a cyber breach, Edward McAndrew, a partner at Ballard Spahr LLP and a former federal cybercrime prosecutor, told Bloomberg BNA May 24.

Employers need to have comprehensive monitoring of Internet network behavior of their employees, McAndrew said.

Anomalies have to be spotted in real time, he said. “It’s not enough to just have a stronger firewall, and it’s not enough to train employees and hope for the best,” McAndrew added.

At first notice of a malicious breach from within the company, an investigation should begin without tipping off the suspected employee, he said. This can be done through mirror imaging of the employee's workstation at night and monitoring the employee’s online and physical activities, McAndrew said. He also recommended employers seek help from local law enforcement.

If all of this is done effectively, there’s a great potential to mitigate the harm, fully understand and recover from the breach, and properly take action against the employee, he said.

To contact the reporter on this story: Genevieve Douglas in Washington at

To contact the editor responsible for this story: Tony Harris in Washington at

Request Bloomberg Law for HR Professionals