3 Tiers of a Framework for Mitigating Human Error

For years, organizations have provided security awareness training to their employees, hoping to cut down on the number of workers who click on malicious links and visit unsafe websites.

It’s not working.

Here’s the problem: Most human-caused cybersecurity issues can be traced to about 8% to 10% of employees. And yet, most organizations lack visibility into who these employees are. Everyone receives the same training, regardless of their risk profile. And policies are applied uniformly across the organization, rather than based on individual risks and needs.

At Mimecast, we use a three-tier framework to help our customers identify and prevent human-caused vulnerabilities at the level of the user.

As of August, all of Mimecast’s 42,000 email security customers have access to the Human Risk Command Center. This tool builds out individual risk scores for employees across the organization by measuring the risk of their activities. This includes users’ interactions with both real and simulated phishing attempts, their usage of unauthorized applications and services (shadow IT) and data handling practices such as forwarding sensitive emails to personal accounts.

The score also considers whether users are merely making occasional mistakes or if they are repeatedly engaging in high-risk behaviors. The risk score doesn’t use only Mimecast data but also information from our partners, including CrowdStrike and Microsoft, which results in a holistic picture of each user’s habits. By measuring user behavior in this way, organizations can target their training and risk mitigation efforts on the employees who most need intervention, rather than taking a blanket approach.

Pushing out cyber awareness training to all employees on a fixed schedule is a mistake for several reasons. For one, training is most impactful when it follows an incident; if a group of employees falls for an email phishing scam but they don’t receive any training until the next quarter, the training might feel irrelevant to them. (I sometimes use a parenting example to illustrate this point: If your son pulls your daughter’s hair, you don’t wait three months to address it.)

Perhaps even worse, organizations waste countless hours of productivity by forcing low-risk employees to sit through quarterly or annual training about things they already know. By providing just-in-time training to the employees who need it most, organizations meet their workers where they are and empower them to be both productive and responsible.

Sometimes, certain employees need more than just additional training.

Organizations may need to protect their IT environments by pushing out policies that specifically restrict the behavior of their riskiest employees. In the past, organizations have set their cybersecurity policies for entire teams or job roles. This can have the unintended impact of restricting the behavior — and, potentially, lowering the productivity — of low-risk employees.

Instead, organizations should set cybersecurity policies on the user level. If Bob from accounting won’t stop visiting malicious sites, then he gets a more restrictive URL protection policy. If Julie from HR keeps uploading sensitive information to a consumer-grade file-sharing service, then her account faces additional restrictions. By applying user-level policy protections, organizations can keep their environments safe from the small portion of users who are putting them at the greatest risk.