Australian companies facing tougher privacy laws have been warned employee actions account for two-thirds of cyber breaches worldwide.

Willis Towers Watson says many organisations focus on the technology aspect of cyber defence, but often at the expense of people-related risks, which represent the largest source of data breach claims.

External threats account for 18% of breaches, while cyber extortion represents just 2%, according to the global data.

“With the recent introduction of a mandatory notification regime for privacy breaches, combined with an increased regulatory focus on the cyber resilience of Australian business, it is vital that companies understand their cyber risks,” Willis Towers Watson Financial and Executive Risks Specialist Tanya Stevenson said.

Companies that can articulate their cyber-risk culture and management of threats beyond their IT departments are in the strongest position when negotiating cyber cover, she says.

Willis Towers Watson Asia-Pacific Head of Talent and Rewards Hamish Deery says there is a serious danger of breaches if new staff are not effectively trained to manage cyber risk.

Ongoing training, including knowledge of how to circumvent hackers’ attempts to acquire data, is also important.

“Failing to sufficiently emphasise a customer focus and appropriate incentive and training programs to support the management of cyber security are also evident in those companies that have had breaches,” Mr Deery said.

Willis says it has developed a Cyber Risk Culture Survey to assess an organisation’s internal risk culture, with a focus on vulnerability to employee-driven incidents.