Forrester recently released a new wave on Security Awareness & Training, where Elevate appears prominently as one of the strongest performers. Yay!
The strange thing though is that Elevate does not do Awareness and Training 🤔
What’s Going On Here?
It seems Forrester is figuring out what we recognized a while ago – that the fundamental problem in protecting users stems from understanding who in your organization is risky and why they are risky. This is an insight that is simply not available through the traditional Awareness and Training approach.
20 years ago we settled on a best practice that having our users watch videos was the right approach, but we never really asked ourselves if that actually reduced the risk.
10 years ago we did the same with phishing simulations and just assumed that when users got better at detecting our simulations, it meant they would do better in the real world.
But, it’s important that we ask ourselves honestly if this approach works? And if it doesn’t, where do we go from here? The only real way to answer these questions is with data.
Fortunately, Elevate has some great data.
What The Data Says
At the core of Elevate is a platform that ingests data from enterprise security technology stacks across categories such as phishing, malware, browsing, password security, data handling, and more. Two other common data sets we ingest are phishing simulations and training.
These data sets give us strong insights into patterns across areas such as industries and customers, but also patterns across the types of risk.
Elevate’s platform identifies incredibly useful information, such as 6% of users are causing the vast majority of incidents, or that middle management is the weakest link in most organizations.
It also clarifies that neither phishing simulation success nor completing training have a significant impact on real-world behaviors or risk. It turns out there are steep diminishing returns between taking training and improved security decision making. The same goes for phishing simulations.
Although – one strong correlation we did find is that individuals who are late in completing their training, or don’t do it at all, are on average a higher security risk (we can save the dissection of that for another time).
Solving From First Principles
To really deal with user risk, we need to start from simple first principles.
- Understand who our risky users are and why
- Put safeguards in place to mitigate that risk
Then what? Constantly rinse & repeat because unlike threats, you can’t remove users.
If we understand who the risky individuals are and why they are risky, we’ve won half the battle. Right now most organizations have zero visibility into this, which doesn’t allow them to take action on that risk. Elevate’s platform has shown that 6% percent of users are causing 90% of incidents, but most organizations don’t know who those individuals are.
Once we have visibility, we can take action. Safeguards can be put in place for those users who are particularly risky. These safeguards can be progressive and gradual or could be in real-time based on actions the users have taken or other new information (such as an increase in attacks).
Understanding Our Risky Users
Gaining visibility into user risk requires understanding employees on three key levels:
- Actions
- Access
- Attacked
Past behavior is the best predictor of the future, so Elevate starts with understanding a user’s actions to begin determining how risky they are. We call it a security credit score, because these profiles are built historically across information from security tools, such as email/phishing, malware, web browsing, data handling, etc. This is using real data, across real technology, not surveys or quiz answers.
Next, we determine an employee’s blast radius based on their access level. We all know that a frontline worker with very little access to sensitive data is less risky than someone in finance or engineering, with access to strategic and sensitive information. It’s clear that understanding access is an important equation in understanding user risk.
The third piece is to consider how often or likely a user is getting attacked. How often is an attacker trying to trick a user into clicking on a phishing email, download malware, or fall for another type of threat. Clearly, someone who is attacked more frequently is at higher risk than those who never see attacks.
That’s the first principle – who are they? Now let’s discuss – what to do about it.
Safeguarding Risky Users
Traditional approaches to solving user risk focus on education. But, we know that 6% of users are causing 90% of incidents – clearly education isn’t helping them. How do we best protect the individuals causing the bulk of our risk without adding unnecessary business friction to everyone else?
We believe that in the same way Incident Response teams have adopted SOAR technologies to respond through automated playbooks, security teams should do the same to get in front of user risk.
Here are a few types of automated responses to reduce risk:
- Real-Time Feedback Personalized, direct, real-time feedback can be given based on an employees actions – “we just noticed you mishandled sensitive data that violated a company policy, here’s how to avoid that next time”.
- Embedded User Risk Intelligence Security teams and technologies are constantly making decisions on user risk without real knowledge. Forward looking security are embedding Elevate’s risk score into IAM, IR processes and other tooling to make smarter decisions.
- Automate Policies Security controls in place should match the risk the user is to an organization. By automating these policies security teams can ensure that their identity, endpoint and email controls are appropriately commensurate with risk.
The Future
It’s clear that the category is about to undergo a massive transformation. One that answers a simple question – how do we better protect our users – with a simple goal of reducing the likelihood of incidents.
Forrester looks like it’s recognizing this by positioning Elevate Security in such a strong strategic position. They clearly see the value of continuous measurement coupled with adaptive safeguards targeted at our riskiest users.
As Forrester says in the report, “You need a different way to manage human risk, not better ways to train people.”
That’s the future we need.
Cyentia’s new report, The Size and Shape of Workforce Risk, in partnership with Elevate Security, will help you to start making sense of the user risk landscape in your organization and begin measuring your true risk profile. Download the Full Report