Mimecast seeks to reinforce the human firewall
Training service with Ataata wants to combat breaches caused by employee mistakes
Ask any cyber security expert and they will tell you the same thing-security awareness among employees, in almost all organisations, is highly deficient.
Just 11% of companies globally are training their people, yet 95% of security breaches emanate from human error, according to research by email security solutions vendor Mimecast.
Mimecast wants to change that and has launched a security training programme for employees, which at once seeks to create a learning environment tied to their everyday jobs, and that delivered through a more engaging model.
The training service came through Mimecast’s acquisition of Ataata, a security awareness training and cyber risk management platform that helps organisations combat information security breaches caused by employee mistakes.
The acquisition sought to create of a single cloud-based platform that calculates an employee's potential risk and susceptibility to today's cybersecurity threats such as phishing campaigns, failing to recognise malicious websites, and more.
These risk factors will be calculated by both monitoring and analysing an employee's "sentiment" and behaviour. Once a score is issued, staff members can then be given training based on their score to lower the risk of corporate cyberattacks.
Ataata combines interactive training techniques with predictive analytics to solve organisations' vulnerability to human error. Employees receive a video each week and are then required to answer a question after viewing the content. The result is used to measure the particular employee's security awareness level and deliver a risk score throughout the year.
"The programme measures the security awareness level of employees with a risk score throughout the year. The data generated provides CIOs and CISOs with information they can use to make decisions about security awareness in terms of who the diligent people are and who aren’t,” explained Jeff Ogden, GM for Middle East at Mimecast.
The training programme is integrated into Mimecast products, which Ogden said is the key differentiator.
When content comes through the email gateway, Mimecast solutions will detect it if it’s malicious. If it is, the product will de-weaponise the piece of malicious content and still forward it to the user. The metrics built into the system will then measure how users interact with the content. Those that err are then played a video associated with the indiscretion. “The fact that the training is part of the business-as-usual process is crucial,” said Ogden.
Few of Mimecast’s competitors are making sure that actions are prompted by real-world data.
“A lot of other products are having to generate false phishing attacks; there's no other better method of gauging the effect of a phishing attack than to measure a real one rather as opposed to a convoluted one,” said Ogden.
The developers of Ataata reckon that to change security culture effectively, “employees have to know what to do, care enough to improve, and then do what’s right when it matters.” Yet people are creatures of habit and can be resistant to change in their daily lives. An effective security awareness program will go a long way in changing behaviour and lower risk by addressing the human firewall in a unique way.
A major shortcoming in training videos is that they are often dull, putting off a lot of employees. The founders of Ataata did a lot of research into the science of content, making sure that the material the company produces is engaging with the trainees over the long term,. “This was a key factor why Mimecast acquired the company,” Ogden said.
Two characters, "Sound Judgement" and "Human Error" are used in the training. The two personas hover over each shoulder of an employee, one reinforcing good decisions while her diabolical antagonist urges risk taking. This role play helps the content stick with customers, said Ogden.
Even for organisations with awareness campaigns, the follow-through is often lacking.
The flexibility of the Mimecast/Ataata programme allows customers customising their own security enforcement procedures, reflecting the culture of the product says Ogden. He cites an example where a business forces an errant employee wear a "Human Error" T-shirt for the day when they reach a particular risk level.