As the nature and complexity of cyber threats rapidly evolves, companies have realised that they must look beyond purely tech solutions and equip their employees with the skills to safeguard the business against attack.
However, Mimecast has found that while 86% of organisations now train employees at least quarterly to identify and report threats, a significant 43% still cite lack of employee awareness as their top concern, indicating that traditional training is simply not up to the task.
“Most organisations remain doggedly focused on protecting against external threats including cloud services, exposed email accounts, and domain risks. This is often done at the expense of internal threats like accidental data sharing and risky behaviour,” says Heino Gevers, Mimecast Senior Director of Technical Support.
“Of course we see impersonation attacks, credential harvesting, and external phishing attacks continuing, but employees are increasingly contributing to preventable breaches with malware clicks and downloads, and even data leaks.”
Gevers’ concern is borne out by the findings of the Mimecast report which shows that organisations expect a 66% increase in internal threats and data leaks in the next 12 months (up from 43% in the last 12 months), coming at a significant cost to companies.
The call is coming from inside
Other findings from Mimecast research show that more than half (55%) of organisations are not fully prepared, nor have appropriate strategies, to deal with the sharp increase in AI-driven phishing and other realistic looking threats.
“Training must shift to address these new and very sophisticated attack vectors. The harsh reality, however, is that only six percent of respondents say their organisation’s security policies are continuously updated based on emerging trends. This shows that even if employees are being trained, the policies they are learning are unlikely to keep up with our mercurial threat landscape,” Gevers shares.
What’s more, he says just 8% of employees account for 80% of incidents. “This is a clear indicator that a one-size-fits-all security and awareness approach, which is employed by a concerning number of organisations, is just not good enough. Training must be targeted and personalised to address the highest-risk individuals who can singlehandedly wreak havoc in the workplace,” he adds.
Gevers goes on to say that the discipline of Human Risk Management (HRM) goes beyond security awareness and training alone, in favour of a holistic approach to cybersecurity focused on identifying, quantifying, managing and reducing the human risk that organisations face.
People-centric security designed to empower

While cyberattacks have become significantly more sophisticated, so too has the approach used to combat them.
Using signals from security tools, communication channels and user behaviour, security teams can now establish centralised views of which departments and employees are at the greatest risk of cyber threats.
Gevers says by continuously analysing behaviours across communication channels and digital tools, it’s now possible to assign individual risk scores so security teams can prioritise training and awareness interventions for those most at risk.
This means when risky encounters are detected, automated, real-time prompts powered by AI and behavioural analytics can guide employees toward safer actions, directly in the platforms where they’re working, whether it be email or collaboration channels like Teams or Slack.
In addition, a range of actionable metrics also make it possible to manage future risk with adaptive policies and technology controls – while simplifying governance and compliance.
“The HRM space is being completely reinvented thanks to the advances in behavioural biometric technology. Live diagnosis, risk scoring, and real time dashboard metrics for adaptive policies and automated human risk management keep human beings at the centre of the solution, but with the most current technology helping them make better, more informed decisions,” Gevers explains.
New developments include behavioural nudges, as part of adaptive training. For instance, if someone is taking an action that has been deemed as risky behaviour, a contextual message will pop up with relevant information about the action they’re about to take, or they may be subject to stricter policy enforcement. This helps teams properly consider their actions without disempowering them.

Creating safe spaces
Gevers adds that training must be personalised, focused on the departments and individuals that have been classified as vulnerable, according to the risk scoring, and who are experiencing a specific issue.
“Human risk should also not be viewed as a weakness or an excuse to target or blame individuals. People are always the first line of defense. Organisations should empower their employees to foster a security-positive culture and be part of the solution. Teams who are unafraid of being blamed or belittled are far more likely to communicate missteps, allowing for proactive and effective security management,” Gevers says.