As a cybersecurity company securing millions of users, we’re constantly delving into data, looking for patterns that will help customers protect themselves
from being the subject of the next breach. Our team conducted a data-mining exercise – and we were shocked by the results. We analyzed a data set that
had millions of data points detailing the security behaviors exhibited by 300,000 employees across a vast global network of organizations large and small in a wide variety of industries.
The data showed that just 8% of users caused 80% of the security incidents that we were tracking. This was eye-opening. How can so few people be the focal
point of so much disruption? For our team, this small piece of data unlocked a significant opportunity. If we could help our customers identify those 8%, we could change the way they manage risk inside
their organizations!
Closing the visibility gap and quantifying human risk
When we think about the user element of our organizations, we understand that every employee is unique, but traditional tools are unable to provide insight on actual behaviors. We knew the applications that were installed on devices and which sites they visited. But we didn’t know which employees are targeted, what risky behaviors they engage in, or what data is shared with whom. Quantifying human risk is similar to the way you would quantify someone’s credit score or driver’s insurance rates: You take data points and map them to specific behaviors. In security, those behaviors fall into three categories:
1. Behavior patterns. Do they make good decisions or bad decisions? Do they open suspicious links? Do they share information over secure channels?
2. Attack factor. How frequently are they in the crosshairs of attackers?
3. Business risk. What role do they play in the organization? What access does their role include? And how do they handle the data they have access to?
If an organization treats all its employees with a one-size-fits-all training program, it’s missing the mark. Organizations need to understand where that
risk distribution is and start adapting their policies appropriately.
Who’s being attacked – and why
Looking at the attack factor produced another insight from our research. We saw that not everyone gets attacked with the same frequency. Overall, 36% of users
were not targeted with phishing attacks in the time that we were analyzing this data. The median phishing rate was about six per year. But there were a small number of employees (4%) who received more than 100 phishing attacks a year.
Who are these people? And why are some getting targeted more often than others?
Turns out, managers are twice as likely to get phished than an individual contributor. We also found that managers received 2.5 times more volume of phishing attacks than individual contributors. The phishing risk also grew as employees gained more experience. Every three years, an employee spent in an organization, the phishing rate doubled.
Our research also showed that risk varied by department. Customer service led the pack, with a whopping 22% of employees experiencing at least one high-risk event. It actually makes sense because these people are out on the front lines: Their job is to engage with customers and make every effort to solve customers’ issues. So, they’re more apt to open themselves up to risk in an effort to be helpful.
Historically, when security companies thought about quantifying human risk, they focused on developing the right questions to ask and the right ways to simulate a threat environment. What we’ve learned is that when we look at real data, we can paint a much more robust picture of the actual risks that exist inside organizations. So, we can track behavior events, the kind of insider role that employees have, their attack levels, and their security knowledge.
Once we have this level of visibility, it opens a world of opportunities. Organizations can address the risky behavior directly, by assigning training programs more thoughtfully and with higher precision. They can also provide users with real-time nudges at the time of the risky action rather than weeks later in regularly scheduled training. Beyond empowering the user, admins can also automatically adjust their controls and adjust their access. And when necessary, escalate situations appropriately to HR.
These interventions aren’t all created equal. In fact,these interventions layer on top of each other with levels of maturity.
From insight to action
If a leader fires somebody who’s repeatedly clicking on links, it’s not necessarily going to keep the organization safe. What it will do is create a severe business impact when that person is no longer able to contribute. Training adds a certain amount of protection, and while not the whole solution, it is minimally disruptive in terms of business impact.
The level of attention an organization can apply
should increase as risks expand. Most people inside an organization should receive baseline training to help them understand basic security practices. For riskier employees or departments, organizations can consider more aggressive tactics including adding controls, adjusting access, and limiting the ways they move data in the environment. A broader menu of options means organizations aren’t limited to the options of either heaping on more training or firing somebody.
Inside the Human Risk Command Center
The Mimecast Human Risk Command Center puts this process into practice. It quantifies human risk by assigning scores for each employee’s risk profile, from
zero to 10 – with zero being no risk, 10 being very risky. For every behavior, an organization can drill in and see insightful data sets about who’s doing what.
The Mimecast Human Risk Management platform offers watch lists that can dynamically move users into groups based on risk criteria. Preventive controls can be placed for the most heavily attacked and very high-risk users.
Every employee is different. So why treat them all the same? Adaptive protection means tailoring security to each individual – meeting them where they’re at and
providing them the right level of support and control.
We also understand that our customers rely on a variety of solutions to protect their entire digital estate, so the Mimecast Human Risk Management Platform offers integrations with leading cybersecurity vendors. This means customers get visibility into human risk in their organization based on data from not just email and security awareness training, but also risk data from endpoint security, DLP solutions, identity and access management systems, and more. For the full list of
Human Risk integrations, visit the integrations hub.
The way this looks in practice is that it meets every employee at their risk level, maximizing their productivity while reducing security incidents. So, our low-risk employees, who are doing the right thing and rarely clicking, are getting positive reinforcement.They have basic security controls that minimize friction and maximize their productivity output. Our occasionally risky individuals get nudges and course corrective action to get back on track. With a few reminders and slightly escalated controls, they’re back to making good decisions.
And then our high-risk individuals – those who are willfully negligent or occasionally malicious – will have security controls in place to help the organization respond and recover appropriately to that level of risk.
When you understand human risk, you can measure it, manage it, and most importantly, reduce it. That’s the power of human risk management.
Click the banner below to protect your organization across email, collaboration, compliance, and human risk.
