If you already "Know this Before", you may please skip reading, "No Offense". In case you don’t, let us help you "Prove the Point".

On paper, your human risk strategy might look solid, email security in place, simulations running, awareness boxes ticked. Everything seems to be working… until it isn’t. Because the real gaps don’t show up in dashboards, they show up in behaviour. And by then, it’s usually too late.

Let’s start with where the cracks usually begin- the structure itself..

Compromised Separation of Duties

Cyber threat landscape is evolving, yet one threat that remains constant is "Phishing". Behind 90% of the cyber-attacks, phishing is one of the causes, if not the root cause.

When the email gateway fails to do its job, phishing emails land in the end user mailbox, leaving end user vulnerable, exposing end users to risk which needs to be addressed. In every phishing incident report, one recommendation is common, "Security Awareness".

If your email security vendor, could not protect you from a major phishing attack, would you be considering to replace the vendor or trusting them further to address the human risk.

Grading Their Own Homework

If your email security vendor also provides the phishing simulations, they may naturally design tests that their own filters are already optimized to catch, creating a false sense of security.

Some email security vendors may say, "Oh, we do provide a reporter plug-in for end users to report suspicious emails, in case we are unable to detect it". In the first place, you have paid them to block suspicious emails. If the end users are reporting the emails back to the same platform, why pay extra for triage and incident response to the same platform?

Lack of "Best-of-Breed" Specialisation

Human Risk vendors excel at behavioural science, monitor vulnerable end user behaviour in real time, build 360-degree risk profiles, provide instant security awareness and policy enforcements while dedicated email security vendors focus purely on email driven threats. Both specialise in their own domains with a completely different thought process, while one focuses on technology and the other focuses on psychology.

Human Risk Goes Beyond Email Security

If your benchmark of addressing human risk is to ensure that your "Champion User X", passes all phishing simulation tests, completes all assigned security awareness content, identifies suspicious emails and reports them back to the same platform to which you paid for stopping suspicious emails in the first place, then think again.

What if your Champion User X was busy in performing a mass delete on SharePoint, what if, he tried 5 times to plug the USB, knowing that such an act is violation of Acceptable Use Policy and not to forget the 10 attempts that were made to access a restricted folder with management access only.

At PhishRod, Human Risk Management begins by building the risk profiles of end users through AI driven assessments, real time monitoring of end user behavior, providing instant security awareness & policy compliance nudges based on risky behaviors that contributes towards building a cyber secure culture.

Return to Blogs