I was on the Microsoft Outlook team during the original email viruses back in the late 90s and early 00s.
After Melissa and then ILoveYou hit, we were told to “come in that weekend to fix the issue we had with viruses and worms”. That fateful Friday in May 2000, we thought we’d fix that problem for good in short order.
By that Sunday night, I came to the realization that it wouldn’t be that easy. In fact, I wasn’t convinced we’d ever fully solve this problem based on what we were finding. Any place where technology and people intersect was clearly going to be one of the toughest challenges in cybersecurity.
That premonition turned out to be true. Fast forward two+ decades later and we’re seeing adversaries take serious advantage of this with:
- 74% of breaches due to human error
- 2x increase in pretexting attacks
- 2.5x increase in attacks targeting privileged users
Work from anywhere has amplified this problem. There’s no place like (working from) home.
Networks, Devices, and Applications – Oh My!
At a recent security conference, we demoed Elevate’s platform to over 100 attendees. As we demoed, there was one common conversation:
Attendee: Why is this focused on people and not IPs, systems, or apps?
Me: Because people are the primary attack vector and are coming in from different devices, networks and software. The old view has been breaking as the workforce has gotten more hybrid and mobile.
Attendee: Oh shoot, you’re right.
That ‘aha’ moment crystalized as we spoke more. I walked through the stats above. We talked through how 8% of employees cause 80% of the incidents security teams need to clean up. We talked through how identity is the new perimeter and people are at the center of that strategy.
Everyone walked away with a much clearer picture of how their security strategy needed to shift.
Pay No Attention To The Man Behind The Curtain
In my 20+ years of cybersecurity, we’ve been trying to secure networks, devices and applications with every approach under the sun. In fact, we haven’t solved the social engineering and phishing issues I mentioned at the beginning of this blog. We’ve bought into next-gen, next next-gen, and whatever the gen after that is. We haven’t made big strides, and it’s left the security industry cynical about snake oil products.
On the people side of security, what do we have? Awareness & Training videos. We’ve tried that for 20 years. Phishing simulations. Been at that for more than a decade. Elevate measures the efficacy of these tools in real-world reduction of risk and while I’m not one to throw people under the bus, it’s not pretty. I’ve heard many industry pundits say that we don’t spend enough on security budgets on these approaches, but based on the data we’ve seen, I think we’ve spent the right amount.
If we should be moving past only looking at networks, devices, and applications *and* our current awareness and phishing sims aren’t working, is there a better way? One that actually works?
That, My Dear, is a Horse of a Different Color
[Enter Elevate Security – stage left]
The team at Elevate has been solving the people’s side of security longer than any other company. We’re starting to see lots of copycats, but make no mistake, as several prospects and customers have said, “Elevate is light years ahead”.
The simplest approach to getting started, though, is:
- Get visibility into real-world employee risk
- Automate responses to that visibility to drive down risk
Elevate starts with visibility by giving security teams deep insights into employee risk based on factors including behaviors, adversary tactics, and their role. This data is pulled from standard technology companies have in place today—email and web gateways, endpoint, DLP, and identity systems. By building these risk profiles, it becomes clear who is risky and who are your champions.
The next step is taking action on that visibility to help reduce risk in your organization. Those actions could be as simple as nudging employees who need course correcting, to creating watchlists for your operations team to help with triage, to stronger security policies in control technology or identity tooling to automatically reduce the likelihood of an incident.
Elevate comes with built-in automation and an easily configurable policy engine so you can respond to these risks how you see appropriate.
- Want to remind a contractor about data handling policies four weeks before their end date? Easy.
- Want to nudge employees on ChatGPT usage in Slack or Teams when you see them using it? No problem.
- Want to drive conditional access policies when risk signals are present for a privileged user? Already built-in.
- Want to enable stricter tech policies for Donny Downloader, Carol the Clicker, or Ben the Bad Browser? We’ve got that too.
In fact, Elevate customers who’ve adopted our automated responses are seeing up to a 70% decrease in account compromise, data loss, and phishing risks.
We’d love to show you how we’ve partnered with our customers to join them on this journey. If you’d like to learn more, schedule some time with us today!