The following are a set of recommended actions that a security team could take, based on the insights that might present in their data following the launch of ASAT and phishing campaigns. Each recommendation includes:
- The OutThink product required to capture the insight.
- The insights which combine to drive the recommendation.
- Why the security team might be interested in prioritising the recommendation and taking further action.
| OutThink product(s) required for insights | Insight 1 | Insight 2 | Recommended Actions | Why? |
|---|---|---|---|---|
| PS | Repeat compromise | 1. EVA nudge to explain the importance of staying vigilant 2. Phishing Tips: What to look out for? | 91% breaches start through compromised users. Highlighting the impact of compromise and tips on how to avoid can reduce the risk | |
| PS | Repeat compromise | 1. Additional phishing training | 91% breaches start through compromised users. Highlighting the impact of compromise and tips on how to avoid can reduce the risk | |
| PS | Didn’t engage in additional training when offered (phishing threat perception low) | 1. Line manager conversation with employee to highlight importance of cybersecurity 2. Consider revoking privileges or exceptions to device, e.g. USB access | 91% breaches start through compromised users. Highlighting the impact of compromise and discuss why the user has declined to take the additional training offered to support them. Consider if the user’s resistence improving should require removal of privileges to reduce risk. | |
| HRI | Repeat compromise | Didn’t engage in additional training when offered (phishing threat perception low) | 1. Line manager conversation with employee to highlight importance of cybersecurity 2. Consider revoking privileges or exceptions to device, e.g. USB access | 91% breaches start through compromised users. Highlighting the impact of compromise and discuss why the user has declined to take the additional training offered to support them. Consider if the user’s resistence improving should require removal of privileges to reduce risk. |
| PS | Users didn’t spend enough time examining email before clicking (compare open timestamp and click timestamp) | 1. EVA nudge to explain the importance of staying vigilant 2. Phishing Tips: What to look out for? | 91% breaches start through compromised users | |
| PS | Users didn’t spend enough time examining email before clicking | 1. Additional phishing training – Phishing tips: Suspicious links | 91% breaches start through compromised users. Highlighting the impact of compromise and tips on how to avoid can reduce the risk | |
| ASAT | Users not trained on phishing / have low knowledge on topic | 1. Additional phishing training | 91% breaches start through compromised users. Highlighting the impact of compromise and tips on how to avoid can reduce the risk | |
| PS (with MS Graph integrated) | Users clicked whilst on holiday / out of office | 1. EVA nudge on safe email handling whilst OOO | 91% breaches start through compromised users. Highlighting the impact of compromise and tips on how to avoid can reduce the risk | |
| PS (with MS Graph integrated) | Users clicked whilst on holiday / out of office | 1. Training on safe email handling whilst OOO | 91% breaches start through compromised users. Highlighting the impact of compromise and tips on how to avoid can reduce the risk | |
| PS (with MS Graph integrated) | Users suffer from email fatigue | 1. Send EVA nudge on safe email box clean up | 91% breaches start through compromised users. Highlighting the impact of compromise and tips on how to avoid can reduce the risk | |
| PS (with MS Graph integrated) | Users suffer from email fatigue | 1. Training on safe email box clean up | 91% breaches start through compromised users. Highlighting the impact of compromise and tips on how to avoid can reduce the risk | |
| PS, ASAT | Compromised users | Users with admin privilege | 1. Send list to SOC / CISO for access review | If users who have admin privileges are compromised in a breach, the threat actor can more easily navigate the organization using the user’s privileges. This exposes the organizations to much higher risk when trying to contain a breach. |
| PS | Compromised users | CXO level | 1. Send list to SOC / CISO for further analysis | CXO level can be target of breach due to the level of sensitive information they have access to. CXOs compromised in simulations should be alerted to the CISO/SOC for decision of subsequent action |
| HRI | Compromised users | Work in close collaboration with CXO level | 1. Enroll lateral movement training to users | CXO level can be target of breach due to the level of sensitive information they have access to. Threat actors will move laterally through compromised employees to target CXOs |
| PS | Repeat compromise | Users who didn’t spend enough time on landing page | 1. Additional phishing training | 91% breaches start through compromised users. Highlighting the impact of compromise and tips on how to avoid can reduce the risk |
| ASAT | Users haven’t completed training | 1. Automated reminders 2. Manual reminders 3. Line manager escalation | Prompt users to complete training – they may have forgotten and a reminder could be useful. Educate users as to why their completion of training matters – mention compliance and regulatory obligations the business needs to fulfil | |
| PS, ASAT | Compromised users | Users with low knowledge on phishing | 1. Additional phishing training | 91% breaches start through compromised users. Highlighting the impact of compromise and tips on how to avoid can reduce the risk |
| SAT | Users with no phishing training | 1. Assign phishing training | 91% breaches start through compromised users. Highlighting the impact of compromise and tips on how to avoid can reduce the risk | |
| PS, ASAT | Compromised users | Users with admin privilege | 1. Re-test with auto-enroll training based on compromise | 91% breaches start through compromised users. Highlighting the impact of compromise and tips on how to avoid can reduce the risk. It is harder to contain a breach if a user is compromised who has admin privileges as the threat actor can use these privileges to propagate through the organization’s IT environment |
| PS | Compromised users | Clicked via mobile device | 1. Training on safe use of mobile devices and phishing | 91% breaches start through compromised users. Highlighting the impact of compromise and tips on how to avoid can reduce the risk |
| ASAT | New joiner not completed training | 1. Launch new joiner ongoing Curriculum course. 2. Targeted auto-reminders. 3. Line manager notification | New joiners might not have experienced cybersecurity awareness training previously and might have a lower base knowledge than tenured employees. As part of onboarding, new joiners should gain an introduction to cybersecurity principles and organizational policies to enable them to help protect the firm | |
| ASAT | Line managers / CXOs not completed training | 1. Targeted reminders | Line managers should be leading by example in demonstrating the importance of engaging with training and learning how they can best watch out for and help the organization prevent cyber threats | |
| ASAT | Users haven’t completed training | Users with admin privilege | 1. Targeted reminders. 2. Specific campaigns about admin privilege | Drive higher engagement with users by sending them content which is particularly pertinent to their role, and emphasises the importance of managing privileges properly. Administrative accounts are frequently used in breaches to propagate through IT environments and domains |
| ASAT | Line managers with low knowledge / engagement scores | 1. Offline classroom-based training workshop for these users | Line managers need to lead by example and demonstrate the importance of engaging with training. They also need to help educate their teams and make sure they can support their knowledge and questions, which is why it might be worth investing in classroom-led trainings for these managers | |
| ASAT | Users reporting high productivity impact | Department / Job title breakdown | 1. Provide list to CISO | Analyse if certain roles have higher productivity impact than others. Understand if policies need to be altered to help support business activities. Security as an enabler of business. |
| ASAT | Line managers who report productivity impact | 1. Provide list to CISO | Analyse if certain roles have higher productivity impact than others. Understand if policies need to be altered to help support business. Discuss with the line managers as could impact security culture in their team | |
| HRI | Users with high knowledge | Users reporting high productivity impact | 1. Provide list to CISO | This group are likely to have valuable feedback on security processes that are not working as well as they could. Where this group reports a serious impact, it is likely that less security-aware employees are either struggling or finding workarounds. View these leaners’ feedback in our system to understand their concerns. If possible, reach out to them to learn more. |
| HRI | Users who use social media for their role | Users who haven’t declared their social media use | 1. Provide social media training to users 2. Engage with social media SMEs in business to discuss education of employees as to what technologies class as social media | Threat actors can use social media engagement with users as a means to starting their breach through the perimeter of an organization’s security controls |
| HRI | Users who use social media for their role | Users with low knowledge in social media trainings | 1. Provide social media training to users 2. Retrain in specific social media modules | Pose higher risk to organisation. Threat actors can use social media engagement with users as a means to starting their breach through the perimeter of an organization’s security controls |
| HRI | Users are cloud users | Haven’t declared cloud use | 1. Provide safe cloud use training to users 2. Engage with cloud SMEs in business to discuss education of employees as to what technologies/products class as cloud | Threat actors can use cloud technologies as a means to starting their breach as many cloud technologies are exposed to the internet |
| HRI | Users are cloud users | Low knowledge in cloud trainings | 1. Provide safe cloud use training to users 2. Retrain in cloud modules | Threat actors can use cloud technologies as a means to starting their breach as many cloud technologies are exposed to the internet |
| HRI | Users have access to sensitive data | Low knowledge in sensitive data trainings | 1. Provide further training on importance of protecting sensitive data, and properly classifying data 2. Share list of users with the SOC / CISO – consider revoking privileges | If users who have admin privileges are compromised in a breach, the threat actor can more easily navigate the organization using the user’s privileges. This exposes the organizations to much higher risk when trying to contain a breach. |
| HRI | Users have privilege access | Low knowledge in privilege access trainings | 1. Provide further training on importance of protecting sensitive data, and properly classifying data 2. Share list of users with the SOC / CISO – consider revoking privileges | If users who have admin privileges are compromised in a breach, the threat actor can more easily navigate the organization using the user’s privileges. This exposes the organizations to much higher risk when trying to contain a breach. |
| HRI | Users with high confidence in their cybersecurity capabilities | Users with mid / low engagement | 1. Provide a list of users to each line manager to discuss their lower than average engagement in training | Users have high confidence in identifying threats, but lower than average engagement in training content – are they over-confident? Is the content too easy? |
| HRI | Users with high confidence in their cybersecurity capabilities | Users with low demonstrated knowledge | 1. Provide a list of users to each line manager to discuss their lower than average knowledge in training, despite high confidence | Users have high confidence in their ability but their knowledge demonstrated is low – are they over-confident? |
| HRI | Users with low demonstrated knowledge | Users reporting high productivity impact | 1. Provide a list of users to the SOC / CISO – would we consider additional controls on their devices or review of privilege 2. Line managers to discuss with users why they are reporting high productivity impact, and remind users of the importance of cybersecurity and staying alert to threats | Users believe their productivity is being hit and their knowledge is demonstrated to be low – will they follow the training or likely bypass in favour of productivity, and could this enhance the risk to the organization? |
| HRI | Users with low demonstrated knowledge | Users with access to sensitive data | 1. Discuss with their line manager on how they can be better supported in their learning 2. Share list with SOC/CISO | Users demonstrating low knowledge of content but have access to sensitive data |
| HRI | Users with mid / low intention to comply with policy | Users with privilege access | 1. Share list with SOC/CISO for consideration of privileges being revoked 2. Discuss with their line manager who should emphasise to the employee the importance of complying with policy, and to understand why the user indicated they might not. | User demonstrates low / mid intention to comply with training learnings, but also has access to privileged systems |
| HRI | Users demonstrating low phishing resilience | Users with access to sensitive data / privilege access | 1. Share list with SOC/CISO for consideration of privileges being revoked 2. Discuss with their line manager who should emphasise to the employee the importance of staying vigilant to cybersecurity threats, and taking time to inspect emails before interacting with links etc. | User demonstrates low phishing resilience, so is more susceptible to a threat actor, and also has access to privilege systems / sensitive data. If a breach were to occur through the user’s account, the threat actor has the potential to move laterally through the network using the privilege access. |
| HRI | Users reporting high impact to productivity | Users with devices outside of policy | 1. Share list with the SOC / CISO for consideration of revoking exceptions or adding additional security controls to the device | User believes their productivity is being hit by following security policies, and their device is non-compliant with policy – could they circumvent teachings and be susceptible to breach? |
| HRI | Users with privilege access | Users with devices outside of policy | 1. Share list with the SOC / CISO for consideration of revoking privileges | Users have privilege access, and their device is non-compliant with policy – if they were to be targeted, could threat actors easily use their device to propagate through the network? |
| HRI | Users who demonstrate low phishing resilience | Users with devices outside of policy | 1. Share list with the SOC / CISO for consideration of adding additional security controls to the device | Users have been susceptible to compromise in simulations, and their device is non-compliant with policy – if they were to be targeted, is a breach more likely and could threat actors easily use their device to propagate through the network? |
| HRI | Users with low phishing threat perception, who refuse additional training on compromise | Users with devices outside of policy | 1. Share list with the SOC / CISO for consideration of adding additional security controls to the device | Users have been susceptible to compromise in simulations, and their device is non-compliant with policy – if they were to be targeted, is a breach more likely and could threat actors easily use their device to propagate through the network? |
| HRI | Users with low demonstrated knowledge | Users with devices outside of policy | 1. Share list with the SOC / CISO for consideration of adding additional security controls to the device | Users are not as aware of security policy and best practice, and their device is non-compliant with policy – if they were to be targeted, is a breach more likely and could threat actors easily use their device to propagate through the network? |
| HRI | Users with low engagement in training | Users with devices outside of policy | 1. Share list with the SOC / CISO for consideration of adding additional security controls to the device | Users are not as aware of security policy and best practice, and their device is non-compliant with policy – if they were to be targeted, is a breach more likely and could threat actors easily use their device to propagate through the network? |
| HRI | Users who demonstration low intention to comply with policy | Users with devices outside of policy | 1. Share list with the SOC / CISO for consideration of adding additional security controls to the device | Users have indicated they might not comply with security policy, and their device is non-compliant with policy – if they were to be targeted, is a breach more likely and could threat actors easily use their device to propagate through the network? |
| HRI | Users who demonstrate low phishing resilience | Users with high possibility of email fatigue due to volume of emails received | 1. Training on safe email box clean up | User demonstrates low phishing resilience and also receives a very high number of emails a day – could this combination result in a higher chance of breach? |
| HRI | Users with high engagement / high knowledge | Users who demonstrate high intention to comply with security policies | 1. Security champions. Thank them. Understand how you can use them to excite others / drive others to care about security | A security champion! How can you use their aptitude to influence and educate others? |
| HRI | Users who demonstrate high intention to comply with security policies | Users who indicate no productivity impact due to security policies | 1. Security champions. Thank them. Understand how you can use them to excite others / drive others to care about security 2. Provide list to CISO to talk with them and understand why they don’t believe policies impact their role – learn for communication of business and security working in harmony | A security champion! How can you use their aptitude to influence and persuade others that productivity doesn’t need to take a hit? |
| HRI | Users demonstrating frequent social media in their role | Users who declared social media use in their role | 1. Training on social media use | Threat actors can use social media engagement with users as a means to starting their breach through the perimeter of an organization’s security controls |
| ASAT | Users who demonstrate low intention to comply with security policies | Department / Job title breakdown | 1. Provide a list of users to the SOC / CISO – look for trends to understand if the users’ role or departmental responsibilities mean there is higher chance of conflict between business and cybersecurity | An opportunity to understand more about the friction between business and cybersecurity – are there certain roles or departments which are impacted more by security policy than others? What can be learned about this, and can action be taken to improve the balance? |
| HRI | Users with devices outside of policy | Department / Job title breakdown | 1. Provide a list of users to the SOC / CISO – look for trends to understand if the users’ role or departmental responsibilities mean there is higher chance of conflict between business and cybersecurity, meaning exceptions are required | An opportunity to learn more about why devices are out of policy – is it due to a user’s role or department requiring exceptions to be granted. Can additional controls be put in place to mitigate the exceptions? |
| HRI | Users with devices outside of policy | Users who demonstrate high intention to comply with security policies | 1. Provide a list of users to the SOC / CISO – understand why the exceptions have been granted, and how they have enabled the users to comply with other security policies | An opportunity to learn more about why devices are out of policy – what exceptions have been granted which mean a user intends to comply? Are those exceptions still needed? |