A Successful Security Strategy Is All About Relationships. Here’s How to Build Them.
Security efforts are not limited to security teams. High impact strategies need to engage everyone from employees to the board of execs, DevOps teams and IT. Learn how how to become not just an effective partner but a trusted advisor across an organization.
Your Legacy Phishing Solution Isn’t Enough to Protect Your Organization
CISO Josh Yavor explains why legacy phishing solutions aren't effective in preventing successful attacks, and what you can do about it.
9 Things I’ve Learned Writing Phishing Emails
Ethical hacker, Craig Hays, explains why copywriting, timing, and context are all essential "ingredients" in crafting a phishing attack.
Employee Burnout Will Probably Cause Your Next Data Breach
Understanding how stress impacts cybersecurity behaviors could significantly reduce the chances of people’s mistakes compromising company’s security.
Stateful Machine Learning is Our Best (And Only) Bet
Traditional machine learning methods that are used to detect threats at the machine layer aren’t equipped to account for the complexities of human relationships and behaviors across businesses over time. There is no concept of “state” — the additional variable that makes human-layer security problems so complex.
How Easy Is It to Phish?
You don't have to be tech savvy to become a "hacker". This blog outlines how to create a phishing campaign, and was designed to help security leaders protect their organizations.

Explore Human Layer Security.

Learn About Our Mission
Subscribe to our newsletter
Explore Me
Read More
Podcast Security Culture

Do You Know the Human Behind the Employee?

Jess Burn
02.03.2022
Share

Illustration By Emanuel Santos

A recent Forrester study found that nearly two-thirds of security leaders believe that employees will cause their next data breach – how can they overcome this fear and secure their companies? In a RE: Human Layer Security Podcast episode Jess Burn, Senior Analyst at Forrester, discussed the report and shared how organizations can improve their human-centric approach to security.

Listen to the whole episode here, or read on for Jess’ top three takeaways.

A more human approach equates to better email security and data loss prevention

The data from the report indicates that those who do not take a human layer approach feel resigned to the constant battle against email and human error-borne threats and have lost control over business disruptions. 

Forrester’s first recommendation is to understand what your employees actually do day-to-day. Talk to the people and teams who are on the front lines of employee experience – tech support, help desk, project or product managers, and developers. The goal is to really understand how they complete their tasks and communicate, and consider how effectively your current solutions safeguard data as they complete those tasks. These workflows or employee journey maps should cover areas of vulnerability to human error and highlight where to focus additional training and resources.

Next, we consider the tech. You need to think about:

  1. How to use what you have to the best of its ability
  2. How to layer on additional tools that fill gaps in mitigating risk

Ideally, businesses should be using tools that provide automation and use machine learning technology. This helps stay one step ahead of the constantly evolving attacks, and reduces resource hours that the security team would spend in triage and investigation. 

Context is key when it comes to detecting more nuanced and advanced human-related security incidents

What people are missing overall right now is context, and it is hugely contributing to all of those hours (noted in the study) spent by the security team members investigating incidents. Traditional tools are reactive alert machines that rely on rules and filters, so they lack that context. This means there is a lot of noise and so a lot of false positives – it is very disruptive and a big time-waster. 

 

 

Machine learning can help fill this gap, and it has come a very long way in the past five or so years. You can use machine learning tools to understand how individuals, teams, departments, or specific functions work (i.e., what their workflows look like) and how they’re communicating and sharing data (both internally and with customers or partners). Once you have that information, you’re halfway there.

Understanding how people do their jobs enables you to better spot abnormalities and abnormal patterns that might indicate somebody is making a mistake or has malicious intent. This is hugely valuable, as you can take action before any significant damage is done.

In-the-moment warnings and healthy security culture are vital  

Improving the security of organizations is all about changing security culture, and you don’t do that by being punitive, running phishing tests and telling people that they’re doing a bad job. Companies need to help employees make security the easy choice in their daily lives, and that relies on a whole new way of looking at people’s behaviors. So these new solutions that are layered on top of other platforms are helping with that because they’re focused on that human layer.

People may be a big threat to the security of an organization, but they are also the engine. They need to do their jobs, and it is when they try to get around policies or short-circuit cumbersome security processes that incidences of data loss most often occur.

We recommend giving contextual in-the-moment coaching which helps employees make the right decisions in real-time. 

In-the-moment training also improves security awareness. Are you going to remember what some talking head said in a boring. 45-minute video that you have to watch once a year and complete a quiz on? What about if something pops up and says ‘Hey! we see you’re sending this. Are you sure you want to do that?’

A message that lets people know that what they’re doing is risky (and explains why) is going to stick better than watching an awareness video… even if the video is funny!

To hear more from Jess and learn more about the potential impact of a more human-centric approach to security, listen to the podcast episode, or download the report: Take Control of Email Security with Human Layer Security Protection.