Digital Transformation and Employee Risk – Are Your People Ready?

Every year, it is common for Boards and Executives within organisations to comment extensively on the “unprecedented” level of change an organisation has had or will experience as it moves from year to year. In fact, change has become the only constant we can expect. As we use technology to speed up the transfer of information, it creates amazing opportunity and potentially greater risk.

The Internet of Things connects more devices and more non-cash financial transactions take place, creating a greater opportunity for cyber crime. In May 2017, WannaCry impacted 200,000 people across 150 countries in less than 2 days![1] Events such as the Kathmandu, Toyota, Marriott Hotel and PageUp ransomware/malware/attacks are just some examples of security breaches affecting organisations in any industry. These attacks are not just a result of organisation infrasturcture failing to defend against cyber attackers. Employees and organisation culture are equally as important in defending against cyber attacks, if not more. Cybersecurity Insiders’ 2018 Insider Threat report[2] found that 53 percent of companies surveyed had experienced an insider-related attack over the past year. These organisations were nearly evenly split over whether they worried more about employees inadvertently exposing the business, such as clicking on phishing links (51%) or malevolent employee behaviour (47%).

To better prepare against attacks, organisations should continually assess their overall cyber risk profile (internal and external), remediate where necessary and proactively manage their defence, according to the CEO of Aon’s Cyber Solutions, J Hogg. Securing an organisation requires security mandates and focus from the Boards and Executives. Too often, cyber risks become a priority only after a cyber incident has occurred.

So as traditional industries, including the “brick-and-mortar” industry, rapidly evolve into digital economies/providers, they face multiple new and unrecognised exposures. Aon’s cyber security experts recommend the following four steps to help organisations deal with cyber risks both internally and externally:

1. Identify – cyber risk profiling to help you gain a thorough understanding of your cyber risk exposures and areas of improvement.
2. Mitigate – cyber incident readiness assessments to evaluate your response capabilities during a crisis.
3. Transfer – bespoke cyber insurance solutions that suit your company’s specific risk profile.
4. Select – and develop – the right talent – assess your organisation’s cyber readiness including assessing if your organisation is hiring individuals with cyber security awareness and who show the behavioural characteristics needed in security relevant situations.

The fourth step is gaining increased spotlight for a number of reasons – according to the EU Commissioner for Security Union ‘95% of attacks involve some human interaction with technology. Building resilience also means changing behaviours to improve cyber hygiene and having the right skills to drive technological innovation to stay ahead of attackers.’[3] Aon’s Global Culture & Engagement Practice says that one thing we often find in post-mortems around risk events like safety, ethics, or business operations is a culture of passivity or acquiescence around known areas of exposure. Employees have given up because they are not listened to, punished, or the systems or processes are too difficult to overcome. Disengaged or passive employees look the other way. Highly engaged employees and leaders speak up and initiate change to reduce the exposure.

Aon’s North America Assessment Solutions Practice leader, Ernie Paskey says “to fully manage risk, organisations need to account for human behaviour. Who will be diligent? Who is skilled at identifying vulnerabilities? Who will support an organisational culture that embraces sensible risk management? Knowing the workforce’s behavioural tendencies and capabilities gives organisations an advantage in cyber security warfare.”

Unfortunately, selecting, training and retaining key personnel isn’t easy. Organisations globally have identified the failure to attract and retain top talent as one of their top 10 risks[4]. Beginning to fill that gap depends on organisations knowing who can be effective in each role. What makes the difference between winners and losers is the ability to identify, recruit and retain the key talent. Aon’s Talent Assessment team recommend organisations[5]:

• Identify digital talent early in the hiring process with a view to future-proofing your selection decisions.
• Assess your current employees’ digital readiness and help them master skills needed to succeed in the digital world of work. Spot digital talent and create career paths for digital leaders.
• Support your business’s digital transformation by defining the digital personality traits needed to drive your digital journey and understand the process that needs to be changed.

Once you have the right people in the organisation, organisations must develop a structure that’s right for the talent and organisation and then reward them for accomplishments. Digital transformation often results in a reformulation of what work the organisation needs, how the work gets done, and who does the work, unique to that organisation. This has a significant impact on the way rewards should be structured. It is important to determine how much of the organisation’s rewards approach needs to change. The goal for non-technology companies hiring for new jobs isn’t to imitate technology companies, but, rather, to identify the structural attributes that help to attract and retain people who are ‘tech savvy’ or ‘digital natives’. Organisations should look at:

1. Reward strategy development/reformulation – this includes re-examining the market for talent, target market positioning, pay mix, to build or buy talent, degree of customisation.
2. Job architecture/reward design – organisations should re-examine the work that needs to happen and how that work gets done. This can either be on a focused basis only (e.g. just for tech roles) or on an organisation-wide basis. Common attributes include dual career tracks, greater agility and flexibility to move throughout the organisation, a global levelling structure that also enables mobility, and simplified job structures with broader job families[6].
3. Data/insights – it is increasingly common for non-tech companies to try to compete for talent with technology companies. In order to do so effectively, they need to know more about the pay practices in the technology sector and market. With almost 3,000 tech companies in Aon’s Radford survey, survey participants and Aon consultants are able to leverage every aspect of Aon’s database to provide pay data, program design and talent management insights unmatched by many other firms.

For more information on how Aon can support you with any of the above, please contact us.

[1] https://www.reuters.com/article/us-cyber-attack-europol/cyber-attack-hits-200000-in-at-least-150-countries-europol-idUSKCN18A0FX

[2] http://crowdresearchpartners.com/wp-content/uploads/2017/07/Insider-Threat-Report-2018.pdf

[3] https://ec.europa.eu/commission/commissioners/2014-2019/king/announcements/commissioner-kings-speech-eu-cybersecurity-conference-digital-single-market-common-digital-security_en

[4] Aon’s 2019 Global Risk Management Survey

[5] https://insights.humancapital.aon.com/factsheets-assessments/digital-readiness-fact-sheet

[6] https://insights.humancapital.aon.com/assessments-transformation/aon-job-architecture-convergence-white-paper