Story image

Mimecast: Employee training must supplement application security

08 May 2019

Too many organisations are looking for a technical solution to what is essentially a human problem.

A company’s biggest security risk is unintentional employee negligence.

Most security professionals agree that awareness training is the best way to tackle the problem, but traditional training methods, on the whole, aren’t moving the needle.

Techday spoke to Mimecast security awareness and threat intelligence products senior vice president and general manager Michael Madon on what organisations can do to reduce risk.

How is Mimecast's Awareness Training aiming to help address human error in cybersecurity?    

Human error is involved in 90% or more of all business security breaches. 

The question is what to do about it. 

For some, the answer is mostly technical – programs and packages that try to solve for human error without putting any faith or responsibility in human beings. 

But we strongly believe that employees play a critical role in your security posture and that instead of coping with an employee base that is a liability, one should foster an employee base that is part of your active defence - a human firewall if you will.

That’s what Mimecast’s Awareness Training does. 

We offer security products for email, web, business continuity and archiving, now combined with engaging, impactful commercial training programs available in the market today. 

Our specific training approach uses humour as an engagement mechanism, keeps the modules to 3-5 minutes a month and trains persistently – on average once a month. 

We use phish testing and risk scoring to help identify who needs additional training and offer customers the ability to deploy custom training modules and campaigns based on that intelligence. 

This approach creates a virtuous cycle of behaviour change, learning and increasing levels of security awareness, in a fun, positive, respectful and effective manner. 

How is a human-centric approach to cybersecurity more effective than an application approach?   

I don’t think it’s a question of more effective. 

I think it’s about being complementary. 

It’s left hand, right hand. 

And if you don’t have either one, then you are defending yourself with a single hand.

Educating people to be cyber-aware is an important part of an effective cyber resilience strategy. 

This enhances the security posture of our clients, one already bolstered by the other tech-centric products in Mimecast’s portfolio. To really have an effective cybersecurity plan in any organisation, it requires both a human-centric and an application approach.  

How is Mimecast's Awareness Training different from other education programs?  

I believe the biggest differentiator is how engaging our training is. 

If training is boring and unengaging, it does not work. 

If it is not frequent, it does not work. 

If it takes more than a few minutes out of someone’s busy day, it does not work. 

You have to strike the right balance to make it consumable, relatable and top of mind, without triggering negatives like “I really don’t have time for this” or “I hate sitting through this.” 

Humour is an essential part of our cybersecurity training and we believe this is a key part of why our approach is so successful.

As human beings, it’s hard to tune out when something is funny. 

With other vendors, training can be challenging with long, employee sessions often considered boring and uninteresting.

But add humour to employee training, keep it short and punchy, and employees are more likely to listen, laugh and in more cases than not, absorb the knowledge we are sharing.   

What's the single biggest thing that organisations can do to reduce risk?   

Lead by example.

Establish a security program in a holistic way that ensures a commitment of security across the organisation.

This means a responsibility at the C-suite level to be engaging, endorsing, and supportive of training. 

It is our belief that if employees know how important the topic is, that senior leadership takes it very seriously, and the training itself is persistent, not burdensome and very engaging, the results will be dramatic.

Bitglass appoints new cloud, business development leaders
The cloud security company has appointed vice presidents for worldwide channels and worldwide business development.
Ping Identity offerings accelerates cloud MFA and SSO adoption
90% of respondents trust MFA as an effective security control to protect identity data in public clouds, yet only 60% of organisations have formally adopted it.
Trend Micro introduces cloud and container workload security offering
Container security capabilities added to Trend Micro Deep Security have elevated protection across the DevOps lifecycle and runtime stack.
Veeam joins the ranks of $1bil-revenue software companies
It’s also marked a milestone of 350,000 customers and outlined how it will begin the next stage of its growth.
Veeam enables secondary storage solutions with technology partner program
Veeam has worked with its strategic technology alliance partners to provide flexible deployment options for customers that have continually led to tighter levels of integration.
Veeam Availability Orchestrator update aims to democratise DR
The ability to automatically test, document and reliably recover entire sites, as well as individual workloads from backups in a completely orchestrated way lowers the total cost of ownership (TCO) of DR.
EXCLUSIVE: Forcepoint global channel chief talks strategy
As a solution sold 100% via the channel, cybersecurity solutions company Forcepoint places a strong emphasis on its partner relationships.
Salesforce continues to stumble after critical outage
“To all of our Salesforce customers, please be aware that we are experiencing a major issue with our service and apologise for the impact it is having on you."