English

The Ultimate Guide to Human Risk Management (HRM)

Don’t be fooled...

Businesses are investing more than ever into strengthening their resilience against evolving cyber threats, but a big problem still plagues SMBs and enterprises in every sector — user-related data breaches.

Even with more businesses rolling out security awareness training measures, advanced technical security and following stricter data compliance standards, data breaches are more widespread than ever.

But why is this?

With many businesses we've come across, the technical elements of security - like firewalls and endpoint protection - are still overly relied upon as a silver bullet for keeping their data and people safe.

But the machine element of security isn't a silver bullet and, when technology fails, the human element becomes your first line of defence.

True, more businesses are rolling out security awareness training programs to address their human element of security, but irregular and generic training doesn’t always stick and it can be difficult to measure.

So, what's the solution?

In this article, we look at how businesses can truly reduce user-related security incidents and drive secure employee behaviour through usecure's automated Human Risk Management (HRM) platform.

Here's what we'll cover:

What is Human Risk Management (HRM)?

Here's how usecure defines HRM:

Human Risk Management is the new class of user-focused security that empowers businesses to understand, reduce and monitor their employee cyber risk — without having to sacrifice budget, staff productivity or your IT team's sanity for protection.

 

Whereas businesses typically deploy security awareness training programs to reduce employee risk, HRM offers a full-circle solution for transforming humans into a business' strongest defence against evolving threats.

How usecure simplifies HRM

It can seem a bit daunting when thinking about launching, managing and measuring a risk management solution. That's why usecure's Human Risk Management platform uses an automated and simplified approach that makes deployment and admin super easy. Here's how it works:

HRM Process Chart

Key features of an effective HRM program

To make sure that employee cyber risk is continuously being tackled, usecure's HRM platform automates the following features:

  • Cyber Awareness Training - Personalised video and interactive training programs are created for every user, with bite-sized courses and follow-up quizzes being automatically sent each month. 
  • Simulated Phishing - Regular phishing simulations are automatically deployed that assesses user vulnerability to a range of attack techniques. Custom phishing campaigns can be created in minutes.
  • Dark Web Monitoring - Continuous dark web monitoring detects when sensitive company data (e.g. usernames and passwords) has appeared in a data breach, which could be used for targeted attacks.
  • Policy Management - Policies are centralised in one easily accessible place and staff are automatically notified of any updated policies that they need to sign, with staff approval signatures being tracked.
  • Human Risk Monitoring - Human risk is continuously tracked, with insight-rich reporting and human risk scoring. Dig deep into training performance and phishing trends straight from your dashboard.

Why do today's businesses need to manage their human cyber risk?

Employees play a huge role in keeping systems and sensitive data safe which, in the wrong hands, can cause hefty financial, operational and reputational damage.

Bad news is, employees make mistakes, with Verizon stating that 85% of data breaches involve the human element.

So, what exactly are the "human problems" of cyber security?

Human error is a big problem

Whether it's typos or forgetting passwords, mistakes at work happen every day.

Unfortunately, supposedly small mistakes like downloading an attachment from an unknown sender or misdirecting an email on a burnt-out Friday afternoon can cause more than just a red face - with IBM reporting that human error is a major contributing cause in 95% of all breaches.

Whether it's down to lack of awareness or just a momentary lapse of judgement, it's vital for businesses to train their users in order to reduce costly mistakes.

uLearn, usecure's automated security awareness training platform, analyses each users' unique security vulnerabilities through a quick-fire questionnaire, and then strengthens these areas through personalised training programs, with prioritised courses auto-deployed every month.

Employees break the rules

Sometimes, rule-breaking can be done with malicious intent, like a disgruntled ex-employee stealing mountains of data and selling this on to scammers or whoever else is willing to buy.

According to IBM’s Insider Theft Report, insider threats (including employee data theft) have cost companies $11.45M and incidents have tripled since 2016.

Other times, employees might just be trying to cut corners to make their lives a little easier, like reusing the same password for multiple accounts.

Limited access control is one fix for reducing this, but it's just as important to make sure that employees are well-versed on the organisation's security policies — like secure passwords, data handling and remote working.

usecure's uPolicy simplifies policy management by centralising documents in one easy-to-find place, automatically notifying staff of policies updates, and tracking eSign approvals to ensure that staff know their responsibilities.

Your human firewall can be exploited

Cyber criminals often view humans as the easier and quickest way to gain access to a company's systems and data.

This is why so many of today's cyber attacks are geared towards manipulating employees, often with criminals using phishing to impersonate customers, colleagues, contractors and suppliers.

The tricky part is, it only takes one mistake from an employee to cause a ripple of repercussions - with phishing scams costing US businesses adjusted losses of over 54 million dollars.

Attacks like Business Email Compromise (BEC) and targeted phishing will only keep increasing, with Google recently reporting that there are now 75 times as many phishing sites as there are malware sites on the internet.

With uPhish, usecure's automated phishing simulation tool, employees are regularly assessed on their ability to spot a range of sophisticated attacks that are being used by real-world cyber criminals, with instant follow-up training being deployed to help educate vulnerable users.

Security awareness training alone won't transform your armoury. HRM will.

It's easy to think that rolling out some security awareness courses and sending a few email bulletins from time to time can fix all of the above. But, as many businesses are finding out, security awareness training alone isn't enough to truly boost user resilience and drive secure human behaviour.

Security awareness training is a core part of Human Risk Management but, by itself, it just doesn't address enough user-targeted risks - like dark web exposures, phishing attacks and adherence to policies.

Plus, traditional training hasn't always been up to scratch...

Why traditional security awareness
training alone isn't enough

Here are some common reasons we've found as to why relying on traditional security awareness training is ineffective for tackling human risk:

  • Too much focus on checking the boxes - Traditional user training has been heavily geared towards finding the training content, delivering the training, and then (maybe) testing what the users have learned. This simplistic approach pays more focus on delivering training, rather than delivering a solution for tackling human risk.

  How usecure's HRM fixes this - To tackle human risk areas, you need to shine a light on them first. usecure enables businesses to understand their people's unique cyber vulnerabilities, and then launch automated training programs that tackle their individual risk areas.

  • Not training users regularly - A lot can be asked of employees when delivering a one-hour workshop. Staff are expected to understand the information, retain it and then use it. Problem is, we all forget things and new attack techniques are popping up all of the time. Only training employees once per year or quarter isn't enough.

How usecure's HRM fixes this - Micro training courses are automatically delivered to each user every month, keeping training frequent enough to make an impact without creating more work or hindering productivity.

  • Delivering generic training - Some employees are highly vulnerable to phishing but really cautious with password hygiene. Some employees have weak passwords that they re-use, but never forget to log out of their devices. Point is, every employee has a unique set of risk areas. Send-to-all training courses don't address each users' knowledge gaps, resulting in unengaging and ineffective learning.

How usecure's HRM fixes this - To start with, each users' core security knowledge gaps are assessed during a quick 10-min Gap Analysis Questionnaire and then, from their answers, an ongoing and personalised training program is deployed - with courses being prioritised to address their weakest areas first.

  • Not measuring the impact - This is a big one. Like anything in life, if we don't measure performance, how do we know things are improving? Once training has been delivered, it's important to measure what the employees have actually retained.

How usecure's HRM fixes this - Before launching your HRM program, usecure will calculate your organisation's Human Risk Score to give you a benchmark of your employee security posture. Then, multiple metrics (incl. ongoing phishing, training and dark web results) are fused together to give your business an insightful overview of how user risk is changing over time.

  • Not testing your users' cyber reflexes - Just like athletes, people can look great in training, but how does this translate into a real-world event? Deploying practical tests, like phishing simulations, is an effective way of measuring the impact of training and understanding ongoing risks to real-world attacks.

How usecure's HRM fixes this - Regular phishing simulations are automated to help monitor each users' vulnerability to a range of evolving attack techniques.

  • Not tackling the problem at the source - 61% of breaches involve stolen user credentials - like usernames and passwords - many of which are exposed on the dark web. These credentials are then used to fuel social engineering and spear-phishing attacks against users. Security awareness programs often don't address this issue, even though it is a hugely popular asset for manipulating employees and provides ammunition for many attacks.

How usecure's HRM fixes this - Ongoing dark web monitoring detects when employee credentials are compromised and up for grabs on the dark web, with additional insight into what service led to the breach and what type of data is exposed.

  • Overlooking the importance of policies - Sometimes, employees are oblivious to their responsibilities as a key security cog in the business. Often, this is due to a lack of clear communication when it comes to security policies and processes. Employees need to understand what security behaviour is expected of them, why this is so important, and what the benefits and implications are of not abiding by the rules.

How usecure's HRM fixes this - Policy management and communications are made simple with an easy-to-navigate document library and automated eSign approval tracking that eliminates the time and hassle of chasing staff signatures.

Shine a light on your organisation's human cyber risk today

usecure for MSPs

Start calculating and understanding your organisation's human cyber risk with usecure. Grab a free 14-day trial to:

  • Assess user risk with a free phishing simulation
  • Detect exposed credentials with a dark web scan
  • Explore a library of video and interactive training courses

Create your free trial account now, or access a library of on-demand demos.

Try for Free »