Human Risk Management

What is human risk management?

Human risk management (HRM) is a holistic approach to cyber security focused on first identifying, then quantifying, managing, and ultimately, reducing the human risk that organizations face. This human risk can exist from external sources, but the main focus of HRM is internal threats. HRM prioritizes identifying and then monitoring the behavior of the users that pose the most risk. Through this approach, security teams can prioritize the users who need the most training and monitoring, since security awareness programs can’t take a one-size-fits-all approach. HRM seeks to create a security-positive culture where safe behavior becomes second nature.

Understanding human risk

Human risk is defined as the potential for an individual’s actions to disrupt or cause harm to an organization, whether intentional or not, whether originating internally or externally. Also known as human error, human risk represents an area of renewed focus for a cyber security industry that continually works to stay ahead of adversaries. With broad attacks stopped more easily and frequently by AI-based security tools, cybercriminals have shifted focus to targeted attacks designed to take advantage of human error. Organizations must adapt to stop this growing human risk.

Why do organizations have to manage human risk?

Organizations must manage human risk in order to remain secure in the face of today’s cyberattacks which seek to target the most vulnerable employees within an organization – the ones for whom security awareness training has not been as effective – who are most likely to click unsafe links, download unsafe files, or fall victim to business email compromise.

Organizations that do not manage human risk leave themselves vulnerable to employee error, ethical issues, poor cyber security practices, and poor or ineffective cyber security training.

Why is human risk management important for cyber security?

HRM seizes on the latest technology available in the cyber security industry. It focuses resources on the most vulnerable users that tend to cause the most security incidents. It allows organizations to make the most effective use of their security tools. HRM gives security teams the tools they need to measure, predict, and manage the risk presented by their users. With HRM, organizations can identify early indictors of compromise, future vulnerabilities, and risk outcomes.

Benefits of human risk management

HRM is designed to prevent the evolving and sophisticated threats targeting human error within organizations. HRM offers preventative controls and the ability to take direct actions that mitigate the risk associated with human behavior such as clicking a link that downloads malware, opening malicious attachments, or visiting a website with malicious content. HRM marks an important and eagerly anticipated milestone in advancement toward the next generation of cybersecurity. Brought on by continued employee mistakes and user errors, HRM will provide unprecedented visibility into an organization’s risk profile, scoring users by risk and allowing CISOs to educate and protect the riskiest part of their employee base. With the visibility that HRM offers into an organization’s risk profile, security teams are able to protect their most vulnerable users.

Key components of an effective human risk management program

• Security awareness training

  As organizations evolve their security awareness training strategy to consider all aspects of human risk, it is important to be aware that awareness training and human risk management are not in opposition to each other, but instead, are better together. Security awareness training focuses on what employees know about security – an important but incomplete piece of the equation. Human risk management fills in the gaps but provides an understanding about what employees do in relation to security – what good and bad security decisions do they regularly make? Are they repeat offenders? How frequently are they being attacked? What risk score should be assigned to this risky user? With this understanding, security practitioners are able to gain a picture of the distribution of risky employees across their organization. Analytics show that eight percent of users are causing 80 percent of incidents. Not all users are equal in their security awareness and the human risk they pose.

• Policy implementation and enforcement

  The development and enforcement of policies that guide acceptable behavior within the organization are an important part of HRM. This extends beyond security policies to encompass broader risk management and compliance considerations. Making employees aware of the organization’s security policies, how they are implemented, and how they are enforced is a good start to ensuring secure behavior. Coupled with security awareness training, this gives users a broad and effective understanding of what is expected of them when it comes to keeping their organizations secure.

• Continuous monitoring and assessment

  The HRM platform marks an important and eagerly anticipated milestone in advancement toward the next generation of cybersecurity. In response to customer and market demand for a more effective means of mitigating risk brought on by human error, the HRM platform will provide unprecedented visibility into an organization’s risk profile, scoring users by risk and allowing CISOs to educate and protect the riskiest part of their employee base. This is accomplished through continuous monitoring and assessment of employee behavior.

With an HRM platform, security teams can surface and centralize risk signals in the form of a human risk dashboard. This provides security teams with human risk scoring and visibility based on event data from both native metrics as well as data from third-party tools. A key function of the HRM platform and the human risk dashboard is to integrate findings into an organization’s security awareness training program. This redefines how security leaders can manage human risk.

Effective strategies for human risk mitigation

• Conducting regular phishing simulations

  Phishing simulation programs can help protect organizations from phishing attacks that could lead to costly data breaches or ransomware attacks. Phishing simulation programs can help understand how well-prepared organizations are to handle phishing attack attempts and give employees tactile experience that will prepare them to respond appropriately to any real-world phishing attacks.

  During a simulated phishing attack, employees receive an email that closely mimics what they might see in a real phishing attack, but any mistakes or inaction will be inconsequential as the simulated phishing emails do not contain actual malware. The simulated phishing emails will, however, be able to track and record the actions and responses of employees, and this will help gauge how effective the training was, and which gaps still need to be filled in bolstering security awareness.

• Implementing a zero trust security model

  Rather than establish a security perimeter around a network and trust any user who can log into it, a zero-trust model assumes any user identity can be compromised. It uses multifactor authentication (MFA) to improve security beyond the username and password combination and applies a “least privilege” principle, giving the user the least access possible at every turn, and requiring additional validation before stepping up access privileges.

  Zero trust security establishes trust every time a user tries to access an asset in the system by checking the asset against the user’s profile, the sensitivity of the asset being accessed and the context of the activity, such as the user’s location or electronic device, or whether that user’s job should even require that level of access. If the context cues don’t match, the user may be asked to revalidate their identity before proceeding.

• Enhancing incident response protocols

  An incident response plan outlines the actionable steps required to prepare for, respond to, and recover from a cyberattack. It can be a crucial differentiator in how organizations contains an attack, limit damage, respond to regulatory oversight, and ensure employee and customer trust. In terms of HRM, incident response protocols should reflect the knowledge about users that has been gained through monitoring and assessment.

How Mimecast can help you with human risk management

Human risk management offers organizations the visibility and context they need to reduce their risk profiles and protect their users from sophisticated cyber threats. Mimecast’s connected HRM platform is designed to prevent the evolving and sophisticated threats targeting human error within organizations. Mimecast’s HRM platform offers preventative controls and the ability to take direct actions that mitigate risk. With this connected HRM platform, security teams will receive visibility into their organization’s risk profile, scoring users by risk and allowing CISOs to educate and protect the riskiest part of their employee base.