Security Market Segment LS
Wednesday, 24 April 2019 14:30

Cyber security requires staff commitment: Mimecast official

Mimecast senior vice president and general manager of Mimecast Security Awareness Michael Madon Mimecast senior vice president and general manager of Mimecast Security Awareness Michael Madon

Almost 99% of people "really don't care" about corporate security, warns Mimecast senior vice-president and general manager of Mimecast Security Awareness, Michael Madon.

Mimecast Security Awareness's mission is to avoid employee mistakes in the workplace. And to do that, you have to meet people where they are, not where you want them to be, he said.

That's why Ataata, the security awareness business co-founded by Madon and subsequently acquired by security vendor Mimecast, put its efforts into delivering security training content in such a way that people would not simply tune out, and into collecting data about how employees actually behave (eg, the results of phish testing).

The company could then rate employees according to the risk they represent, and then deliver targeted remedial training.

While Madon agrees that IT security requires a combination of technology (eg, endpoint and network security tools) and training, "you have to arc towards one or the other" according to the problems you face.

For example, malicious insiders represent around 5% of the security problem, but training doesn't work for them. They may deliberately flunk training, he told iTWire, or avoid it completely. "You could give Edward Snowden all the training in the world," he observed.

Dealing with that category of people requires robust technology such as data loss prevention, he said.

But the vast majority of people are good employees who are open to learning providing the material is presented in an effective way – and for most people, that means video. After all, the number two search engine in the world is YouTube, Madon pointed out.

The goal of training is to change behaviour, which can be done by applying fear or humour, and "fear is not a sustainable motivator."

In addition to using humour, Madon advocates microlearning — an ongoing drip-feed of snippets of information — as well as applying technology to measure how people think and act about security.

Mimecast acquired Ataata relatively recently (July 2018), and is still in the process of integrating security awareness training with the rest of the Mimecast platform. For example, this will allow customers to identify the most-targeted people and deliver appropriate training,

"That's the beauty of Mimecast... it's truly an integrated platform," he told iTWire, which means training can be weighted towards actual rather than merely potential risks.

"The goal and power of the platform is community defence" and awareness training is part of that.

The company also realises that there is no longer a demarcation between an individual's work and private activity. Indeed, some organisations encourage their employees to post about work issues on social media, but this carries a risk of confidential information being inadvertently or carelessly leaked.

"It happens all the time," he said. So some of the training materials are set entirely in a home context.

Information leaks also happen in the real world. For example, two people might discuss a business deal while travelling in a hire car or taxi, not realising that the driver works in their industry and is merely moonlighting for extra money. Even if they don't mention the name of their company, the driver may be able to determine if they pay for the trip with a corporate card.

"I know this happens," he said. Furthermore, CISOs have told him about cases where their friends have alerted them to overheard conversations on trains that disclosed corporate secrets.

Madon recommends organisations establish programs that view security holistically and work towards moving people's view of security from "compliance" to "commitment", in the sense that security is seen as a critical factor for personal success.

So a security professional shouldn't have goals along the lines of "reduce the number of times that employees click on fake phishing emails", rather they should be working to change the organisation's culture to include a commitment to security.

HR departments have done a great job in changing some aspects of workplace behaviour (such as treating fellow employees with respect simply because that's the right thing to do), but they should take a similar view of security matters, he said.

Read 5136 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Stephen Withers

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News