Security Awareness Training Done Right
When the anatomy of successful cyberattacks is analyzed, nearly all of them have
one thing in common – some user, somewhere, did something that could have been avoided. Despite the most advanced protections that can be put in place, despite the best threat intelligence that can be brought to bear, organizations remain vulnerable because of one key factor: human error.
Research shows that 90%+ of breaches involve human error; and in 2018,
organizations faced a 27% chance of suffering a major data breach involving 10,000 records or more. Those types of massive breaches came with an average cost of four million dollars each to remediate. Clearly, human error is not to be taken lightly.
People are – and likely always will be – the weak link in the chain. Yet, efforts to reduce the very real risk they represent are
failing. Organizations are pouring billions of dollars into security and awareness training, but these investments are not
translating into results. In fact, the probability that companies of all types and sizes will experience a security breach is greater
today than it was four years ago. Something needs to change.
Cybersecurity For Humans
Mimecast helps companies protect their employees, intellectual property, customer data, and brand reputations by providing
comprehensive, cloud-based security and compliance solutions that mitigate risk and reduce the cost and complexity of creating
a cyber-resilient organization.
Mimecast Awareness Training is a security awareness training and cyber risk management platform that helps you combat
information security breaches caused by employee mistakes. Developed by top leadership from the U.S. military, law
enforcement, and intelligence community, it makes employees an active part of your defense, instead of your biggest risk, by:
- Providing the best, most engaging content in the industry – People don’t “like” Mimecast’s training – they love it. They ask for more. They print T-shirts based on our characters. The engagement our training drives and the results it delivers are difficult to match.
- Deploying training persistently, but not intrusively – Cyberattacks are many things, but one thing they are not is predictable. Mimecast combines highly engaging content with a persistent, non-intrusive training methodology to change behavior, improve knowledge and retention regarding core security issues, and ultimately lower risk. We help you create and maintain the highest possible level of organizational security awareness, and the punch line is that the training takes only 2 to 3 minutes a month, a tolerable ask of today’s busy employee.
- Fostering individual responsibility – Mimecast Awareness Training helps build your human firewall by working to give all employees a stronger sense of individual responsibility for protecting the organization.
Oh, The Human Error…
Why are people such easy targets when it comes to cyberattacks? The greatest factor is the propensity of humans to be just that – human. The vast majority of mistakes are completely innocent and – more importantly – avoidable, with the most common causes being lack of knowledge, lack of attention, and lack of concern.
Security training typically fails because it doesn’t take these
realities into account. In other words, it doesn’t reflect how
people work and learn today. It’s delivered too infrequently
(what did IT say I should do when I get a suspicious email?). It’s long, dull, dry, and boring (I’ll pay attention in a second… just have to send this one email). And employees often feel targeted, rather than supported (“did IT really just try to trick me with this fake phishing email?”).
Bad Training – A Vicious Cycle
When training is unengaging and unenjoyable, people don’t learn. If they are not armed with the knowledge of what to look
out for and what to do when the situation arises, they will make mistakes. And, in what is an act of self-defense, they will treat
security as “somebody else’s problem” and develop a dismissive attitude about training. This negative process reinforces itself
over time, making insufficient training programs not just useless, but harmful. It’s time to break the cycle. As some incredibly
smart person once said, the definition of insanity is doing the same thing o ver and over and expecting a different outcome. The
time for a new approach has arrived.
The Key To Engagement - Humor
Training systems typically rely on fear to drive engagement. That
works. For a short time. Then employees become desensitized,
resentful, and unresponsive. Is that really the way?
Not in our view. Mimecast relies on humor to engage. Studies show
that humor releases dopamine in the brain, which is positively
correlated with goal-oriented learning results and long-term memory retention. Humor works with students of all ages. Educators have shown that using humor with any age of student – from kindergarten through college – drives better performance. And humor will work with your employees too.
Our security training is built to make you chuckle. Each training module is anchored on a 2-3 minute video, written by real
movie/TV comedy writers and acted by entertainment industry pros. In a few minutes per month, employees get a dose of
knowledge, learning what to do through mini-sitcoms they won’t forget. Our training videos are the foundation of a focused,
complete, and effective system that imparts and reinforces crucial knowledge.
The Key To Engagement - Humor
Welcome Sound Judgment
Mimecast Awareness Training uses a continuous,
virtuous cycle that changes behavior and lowers risk.
The foundation of the platform is engagement through
humor, which is the key to improving awareness and
Only by getting employees to understand both what’s
at stake and what to do about it can you change their
attitudes and drive a lasting, positive shift in security
culture. To accomplish these objectives, Mimecast
Awareness Training focuses on four key areas.
1) Engaging Training
Mimecast Awareness Training delivers massively engaging, video-based training modules – developed by professionals from the TV and film industr y – to all users on a monthly basis. These 3 to 5 minute video-centric modules take a best-practice, “micro-learning” approach, driving retention by delivering persistent learning in manageable and digestible blocks.
Core to Mimecast’s training approach is humor (don’t laugh now, we’re being serious). Our videos are built to be informative
of course, but they are also meant to be fun. Rather than threatening with fear, Mimecast finds it far more effective to engage
with funny. Why? Because employees will look forward to training, rather than dreading it. They will pay attention. And most
importantly, they will learn.
Each video takes a complex and (let’s be real here) often boring topic – from ransomware, phishing, and impersonation fraud to regulations (we heart you GDPR) and privacy rules – and makes it understandable.
The content is broken down into:
- What the threat Is
- What to do about It
- Consequences for the company
- Personal impact
The content provides a holistic approach across all security concerns; and with 12 to 15 new modules created every year, training stays both fresh for end users and reflective of a
continuously changing threat landscape.
2) Real-World Testing
Mimecast understands that testing must be more than a box-checking exercise if it’s going to have any impact or lasting effect.
That’s why the Mimecast Awareness Training platform regularly evaluates employees and tracks indicators across the three root
causes of human error – knowledge, awareness, and attitude. These testing capabilities are designed to assess three key areas.
The first is employee attitudes and sentiment toward security (from “sir, yes sir” to “frankly my dear, I don’t give a damn”).
Every user is presented with a set of questions before any training is delivered to establish a baseline and is then asked to
respond to those same questions again every six months thereafter. Results are then used to assess how seriously each
employee takes security threats and how prepared each individual feels to cope with them.
The second area is employees’ knowledge of the concepts each training module delivers, with a single question that
gets straight to the heart of the matter at the end of each session. Questions are designed to reinforce key concepts and force
employees to think about each scenario in a unique way. This process has a massive positive impact on information retention
and ultimately, behavioral change.
Last but not least are Mimecast’s phishing test capabilities, which are fully integrated with our training modules and simple to
implement and manage – no dedicated resources required. Custom tests can easily be built and deployed, and there is a large
selection of stored templates to choose from. And in breaking news, Mimecast will soon be the only security training provider
that can support personalized delivery of authentic but de-fanged phishing attacks for training purposes. Instead of relying on
made-up phish tests or watered-down templates, you’ll be able to test employees with real phishing emails in real-time. Yes, it’s
true! We’re excited about it too.
3) Employee And Company Risk Scoring
A major downfall of many training programs is that they treat everyone the same. Just as there was that kid in high school who
could have taught your math teacher advanced calculus, there will be people in your organization who need minimal support
from a security training standpoint. Likewise, there will be individuals who require regular coaching and intervention or who, by
the nature of the positions they hold (a wire transfer would be perfect, thanks), are more likely to be targeted.
The Mimecast Awareness Training platform lets you focus
on the greatest areas of risk and need by using a predictive
model to determine who your riskiest employees are based on both behavior and how likely they are to be attacked.
The solution compares employee testing data across
millions of data points to assess risk at both an individual
and organizational level. The system then rates employees from very poor to excellent. Those who receive a poor score are operating two standard deviations from the mean of behavior and are in the riskiest 3% of employees. In other words, they’re truly a security issue. Armed with this information, you can direct training resources to those who need it most, dramatically improve outcomes, and substantially reduce risk.
4) Custom, Personalized Training And Other Remediation
With employee risk scores in hand, the question of where to focus has been answered, but the Mimecast Awareness Training
platform is designed to help you answer the question of how to help as well. Based on individual employee profiles, training can
be delivered with more regularity, and behaviors can be flagged so your team can provide one-to-one coaching when needed.
Customized scenarios can be created to continuously assess and train high-risk employees, and system permissions can also be
adjusted for those who don’t respond well to training.
The Real Ph_ing Deal
Try as most security teams might, it’s virtually impossible to consistently and accurately replicate the sophistication and variability of genuine cyberattacks for the purpose of testing and training employees – a factor that automatically puts your organization at a disadvantage and one that cyber criminals count on.
Mimecast will soon be the only provider that can support personalized
delivery of authentic but de-fanged phishing attacks for training purposes. Instead of relying on made-up phish tests or watered-down templates, Mimecast will allow you to test employees with real phishing emails in real-time and factor the results into employee risk scoring and analysis. Now THAT is ph_ing awesome.
With traditional approaches, you only know how employees respond to real phishing attacks when they actually occur. This ground-breaking capability from Mimecast will soon allow you to test your users with the real deal in a completely safe environment. Think of it this way. The next time you fly, would you prefer your pilot to have received all their training in a flight simulator, or to have had some actual time behind the stick? Which would you choose? Yep – us too.
- Highly engaging, modern training videos created by some of the top talent in the entertainment industry
- Best-practice, micro-learning approach that delivers 3 to 5 minute video-based training modules to every user monthly
- Simple, intelligent, and predictive testing to measure both knowledge and sentiment
- Employee and organizational risk-scoring measured against millions of industry data points
- New training delivered 12 to 15 times a year to ensure content stays fresh and relevant
- Easy to implement and manage phish testing, with the ability to use real-life, de-fanged phishing tests coming soon
- The best, most engaging content in the industry
Mimecast isn’t your grandfather’s security training content. It’s different, it’s funny, and it’s effective.
- The expertise and trust of people who know whereof they speak
Mimecast’s Awareness Training was developed by top leadership from the U.S. military, law enforcement, and intelligence community and is trusted and endorsed by people with deep knowledge of cybersecurity challenges and first-hand experience addressing them – including a former director of the FBI and a former SVP and CSO for AT&T.
- Real-time, predictive risk scoring
Scoring is applied at both the employee and organizational level and is based on comparison with millions of industry data points. You’ll know where to focus your resources and time, so you can reduce risk and maintain the highest possible level of organizational security awareness.
- Real-world resilience
Mimecast puts an end to “spray and pray” training by allowing you to target groups at the greatest risk with specialized and personalized training. You can make the awesomeness of the limited resources at your disposal stretch farther and have a greater impact than ever before.
- Comprehensive cybersecurity capabilities with a single solution
Mimecast Awareness Training is fully and seamlessly integrated with Mimecast’s full suite of email security, web security, and cloud archiving solutions, giving you the option to deploy a single, cloud-based solution to address all your cybersecurity needs.
The Mimecast Difference
The Mimecast Security
The Mimecast Security Operations Center (MSOC) is
staffed by security experts whose sole focus is to help you
stay ahead of attackers by continuously monitoring,
optimizing, and enhancing Mimecast’s solutions. The
- Always on – Monitoring Mimecast solutions 24x7, 365 days a year
- Always monitoring – Collaborating with thirdparties, partnering with customers, and keeping a constant eye on the threat landscape
- Always improving – Conducting research into the behavior and strategy behind attacks; driving continuous adaptation.