The Size and Shape of Workforce Risk
Upon Mimecast's acquisition of Elevate Security, we explore the idea of a non-universal approach to human risk by applying extra security training for the riskiest users.
Key Points
- How do we identify the riskiest users, and what exactly do we mean by “risky” anyway?
- Are there a lot of risky users or just a few, and are some users more prone to be risky than others?
- How can we help risky users engage in less risky behavior, and what kind of impact on our incidents could proactively identifying risky users have?
- Research conducted by the Cyentia Institute leverages data from Elevate Security to start to answer some of these questions and clarify what exactly makes a user “risky”.
Everyone at an organization has a different role. From the maintenance staff to the CEO, the skills required to keep the organization running smoothly differ widely.
Even though people’s backgrounds and duties vary, security controls for workforce risk tend to be universally and indiscriminately applied. Policies apply to everyone equally, all are subjected to the same exact security awareness training courses, the same phishing simulations are sent to every email address, and everyone’s email traffic runs through the same set of network appliances and anomaly detectors.
While a one-size-fits-all approach has advantages, such as being easier to deploy and providing a universal, minimal set of mitigations, if a universal approach worked, we wouldn’t be here. The fact is, some users are security pros who are fastidiously cautious in all their online interactions. For these users, the many security guardrails organizations put up won’t reduce their already low risk or lower the risk for the organization as a whole.
On the other end of the spectrum, however, are the users that give the CISO nightmares. These users click every link that pops up on their screen and download every attachment while streaming from illegal media sites. All the policy and training likely won’t put a dent in the outsized risk those users represent.
Download this white paper to see some concrete numbers so you can understand how your users or departments measure up to everyone else and discover that some types of risky behavior are likely indicative of other kinds.