Story image

Mimecast: Employee training must supplement application security

08 May 2019

Too many organisations are looking for a technical solution to what is essentially a human problem.

A company’s biggest security risk is unintentional employee negligence.

Most security professionals agree that awareness training is the best way to tackle the problem, but traditional training methods, on the whole, aren’t moving the needle.

Techday spoke to Mimecast security awareness and threat intelligence products senior vice president and general manager Michael Madon on what organisations can do to reduce risk.

How is Mimecast's Awareness Training aiming to help address human error in cybersecurity?    

Human error is involved in 90% or more of all business security breaches. 

The question is what to do about it. 

For some, the answer is mostly technical – programs and packages that try to solve for human error without putting any faith or responsibility in human beings. 

But we strongly believe that employees play a critical role in your security posture and that instead of coping with an employee base that is a liability, one should foster an employee base that is part of your active defence - a human firewall if you will.

That’s what Mimecast’s Awareness Training does. 

We offer security products for email, web, business continuity and archiving, now combined with engaging, impactful commercial training programs available in the market today. 

Our specific training approach uses humour as an engagement mechanism, keeps the modules to 3-5 minutes a month and trains persistently – on average once a month. 

We use phish testing and risk scoring to help identify who needs additional training and offer customers the ability to deploy custom training modules and campaigns based on that intelligence. 

This approach creates a virtuous cycle of behaviour change, learning and increasing levels of security awareness, in a fun, positive, respectful and effective manner. 

How is a human-centric approach to cybersecurity more effective than an application approach?   

I don’t think it’s a question of more effective. 

I think it’s about being complementary. 

It’s left hand, right hand. 

And if you don’t have either one, then you are defending yourself with a single hand.

Educating people to be cyber-aware is an important part of an effective cyber resilience strategy. 

This enhances the security posture of our clients, one already bolstered by the other tech-centric products in Mimecast’s portfolio. To really have an effective cybersecurity plan in any organisation, it requires both a human-centric and an application approach.  

How is Mimecast's Awareness Training different from other education programs?  

I believe the biggest differentiator is how engaging our training is. 

If training is boring and unengaging, it does not work. 

If it is not frequent, it does not work. 

If it takes more than a few minutes out of someone’s busy day, it does not work. 

You have to strike the right balance to make it consumable, relatable and top of mind, without triggering negatives like “I really don’t have time for this” or “I hate sitting through this.” 

Humour is an essential part of our cybersecurity training and we believe this is a key part of why our approach is so successful.

As human beings, it’s hard to tune out when something is funny. 

With other vendors, training can be challenging with long, employee sessions often considered boring and uninteresting.

But add humour to employee training, keep it short and punchy, and employees are more likely to listen, laugh and in more cases than not, absorb the knowledge we are sharing.   

What's the single biggest thing that organisations can do to reduce risk?   

Lead by example.

Establish a security program in a holistic way that ensures a commitment of security across the organisation.

This means a responsibility at the C-suite level to be engaging, endorsing, and supportive of training. 

It is our belief that if employees know how important the topic is, that senior leadership takes it very seriously, and the training itself is persistent, not burdensome and very engaging, the results will be dramatic.

Forescout strengthens investment in OT security
Forescout’s latest features will provide enterprises with improved productivity, lower risk profiles and faster mitigation of threats.
Hybrid cloud security big concern for business leaders
A new study highlights that IT and security professionals have significant concerns around security for hybrid cloud and multi-cloud environments.
GitHub launches fund to sponsor open source developers
In addition to GitHub Sponsors, GitHub is launching the GitHub Sponsors, GitHub will match all contributions up to $5,000 during a developer’s first year in GitHub Sponsors.
Check Point announces integration with Microsoft Azure
The integration of Check Point’s advanced policy enforcement capabilities with Microsoft AIP’s file classification and protection features enables enterprises to keep their business data and IP secure, irrespective of how it is shared. 
ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.