Latest news with #humanrisk
Forbes
30-06-2025
- Business
- Forbes
Rethinking Security Training With A Human Risk Management Approach
Masha Sedova, VP of Human Risk Strategy, Mimecast. What's the one area in cybersecurity that is overdue for change? It's security awareness training. After three decades of underwhelming results, it's clear that security awareness programs haven't kept up with today's threat landscape. Human error remains the leading cause of data breaches, with Mimecast reporting that 95% of data breaches involve user mistakes. While those numbers remain stubbornly high, conventional training methods fail to instill lasting behavioral change. If we want security awareness to truly protect organizations, we need to rethink everything—from how we structure training, to the metrics we track, to what 'success' actually looks like. It's time to stop measuring attendance and start measuring action. By focusing on adaptive learning, personal accountability and measurable outcomes, we can evolve security awareness from a compliance checkbox into a core defense mechanism. Why Legacy Training Fails To Deliver For years, security awareness relied on outdated tactics like annual training modules and phishing simulations. These tools often create a false sense of progress while leaving companies exposed when behavior doesn't shift. The problem isn't just outdated content—it's one-size-fits-all structure. Most organizations deliver the same training to every employee, regardless of job role, risk exposure or history of security missteps. Expecting uniform outcomes from workers with vastly different responsibilities is both unrealistic and ineffective. Worse, the metrics used to assess these programs are often meaningless. Completion rates and engagement scores track participation, not progress. It's time to prioritize behavior and results, not just check-the-box compliance. What Human-Centric Training Should Look Like To truly reinvent security awareness, organizations need to move from static, one-dimensional programs to those that empower employees and respond to evolving risks. Grounded in a human risk management framework, this new approach should center on three pillars: The calendar-based model no longer works. Cyberthreats evolve rapidly, and training must evolve with them—meeting employees at the point of risk. Just-in-time learning is essential. If an employee clicks on a risky link, a prompt that explains the mistake and offers safer alternatives helps cement the lesson when it matters most. Threat-responsive updates are just as vital. Security programs should shift with threat levels—deploying phishing alerts during surges or ransomware simulations when relevant. Even simple interventions, like monthly nudges, help keep good habits top of mind. Not all employees face the same risks. Senior leaders are often targeted by spear-phishing. Developers may encounter credential-harvesting threats. Yet most training programs treat all employees the same. A more tailored approach improves both relevance and retention. This can be achieved by taking the following steps: • Categorize employees by their risk level (low, medium, high) based on job role, access level and past behavior. • Use real user data to shape future training and deliver targeted feedback or additional simulations for those who have fallen for phishing attempts. • Create transparent risk profiles that show employees how their behavior compares to peers (e.g., "You are two times more likely than your peers to click a phishing link.") to promote self-awareness. Customization doesn't just drive better results. It shows employees that the training applies directly to their day-to-day challenges—and empowers them to reduce risk on their own. One of the biggest shifts needed is how we define success. Vanity metrics like completion rates won't cut it. Focus instead on data points that reflect behavioral change and reduced risk outcomes, including: • Reduced successful phishing attacks over time • Improved password hygiene (e.g., reduction in reused or weak credentials) • Decreased risky activities, like installing unapproved apps or mishandling sensitive data • Tangible economic benefits, such as lower remediation costs or fewer downtime events Behavior-based metrics are not only more meaningful—they drive continuous improvement by showing what's working and where to focus next. Creating A Culture Of Accountability Modern security awareness must build trust, not fear. Employees shouldn't be punished into compliance—they should be brought into the process as active defenders. Give them visibility into their own progress. Simple dashboards or comparative banners (e.g., 'You're in the top 10% for secure behavior!') drive motivation and clarity. Recognition matters too. Celebrate employees who report phishing attempts or avoid traps. Positive reinforcement builds morale—and reinforces the right habits. When employees feel invested and informed, participation turns into ownership. Reframing Awareness As Human Risk Management Security awareness is just one part of a broader human risk strategy—but it's a high-impact opportunity hiding in plain sight. The poll results are clear: Industry frustration is high and legacy methods no longer serve. By shifting toward adaptive, personalized and outcome-based training, organizations can finally address the human vulnerabilities that attackers exploit most. When done right, security awareness doesn't just educate—it protects. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Forbes
22-05-2025
- Business
- Forbes
Five AI-Powered Threats Senior Leaders Should Be Aware Of
Perry Carpenter is Chief Human Risk Management Strategist for KnowBe4, a cybersecurity platform that addresses human risk management. We're all too familiar with warnings about phishing scams, and they're still a security issue we need to be aware of. But there are a wide range of other concerns, beyond phishing, that should have your attention—and that you should be sharing with colleagues so they can collaborate with you to protect your company and assets. We're moving into what I call the 'Exploitation Zone'—a widening gap between technological advancement and human adaptability. It is, admittedly, tough to keep up unless, like me, you're singularly focused on data security and staying on top of increasingly sophisticated ploys by bad actors to exploit your human nature. Here are five AI-powered threats you need to understand and take steps to respond to. It's not just emails we have to be worried about these days. Today's hackers can spoof more than email addresses. One of the quickly emerging scams is voice phishing, or vishing. Just last year, we saw a 442% increase in vishing attacks between the first and second half of 2024, according to CrowdStrike. Using publicly available voice snippets they can access via earnings calls, podcasts, video calls or media interviews, cybercriminals are able to create hard-to-detect voice clones. This can take the form of a frantic call from a 'grandchild' to a grandparent asking for money to help get them out of a jam. It can also take the form of a demanding call from a 'CEO' to release funds through a bank transfer. Suggestion: Put steps in place to verify any requests for financial transactions, especially those received via calls or voice messages; consider using authentication questions that only legitimate business representatives would know. Since the pandemic, it's not unusual for many types of meetings to take place in a virtual environment. That includes board meetings. When your board members are participating virtually, there's a chance for manipulation by bad actors. That's not just the stuff of science fiction. Deepfakes have already been used to influence critical business decisions or access sensitive information. A U.S. judicial panel has even considered how deepfakes could disrupt legal trials. Chances are that images and video clips of your board members and senior leaders exist. All cybercriminals need to do is get access to a few seconds of a voice recording, video, or sometimes even a single image and use generative AI tools to create audio and video that most people won't be able to discern from the real. Think I'm exaggerating? You can see me demoing the tools and tactics here. Suggestion: Make sure you're using authentication to protect the security of any video calls. Implement multifactor authentication and establish verification procedures that involve different communication channels. And also, similar to the suggestion for No. 1, consider creating safe words or a verbal challenge/response procedure. In 2023, a fake, likely AI-generated photo of an alleged explosion near the Pentagon briefly caused the S&P 500 to drop. Suggestion: Develop crisis response plans to address the potential for synthetic media attacks, including rapid verification channels that can be used with targeted news outlets and financial partners. Imagine a disgruntled employee using AI voice cloning to generate a fake audio recording of their CEO making discriminatory remarks. Or, picture an AI-generated video showing a senior-level official involved in questionable activities. It's all too possible with the rise of AI-generated content that is now literally at the fingertips of anyone with an axe to grind. Even when these attempts are proven to be false, the damage remains. It used to be true that 'seeing is believing.' That's still true, but what we're seeing may not be actually believable. Suggestion: Be aggressive in monitoring digital channels for synthetic content related to your organization and your key executives, board members and other representatives. Have rapid response plans in place to address any incidents that occur, and be prepared to provide evidence of manipulation. Large language models (LLMs) are the foundational technology behind many generative AI tools. While LLMs themselves don't access real-time information, threat actors can leverage these tools—often in combination with publicly available data about your organization—to craft hyper-personalized phishing campaigns and social engineering attacks. These messages can closely mimic the tone and style of internal communications, making it increasingly difficult for recipients to distinguish between legitimate and malicious content. In a now widely reported incident, what was likely a combination of voice cloning and video deepfakes were used to convince an employee at a multinational firm in Hong Kong to pay out $25 million. After participating in what turned out to be a fake, multi-person video conference call, and despite some initial misgivings, the employee did as requested. Suggestion: Train staff members to recognize the warning signs of AI-enabled impersonation, such as limited interaction or refusal to answer unexpected questions. And encourage them to trust their gut. If something feels off, it probably is, and they should pursue additional verification options. Repeated exposure to information and examples of the many ways bad actors are attempting to infiltrate and influence organizations and employees can help keep the threats top-of-mind and help minimize the chances of falling prey to these attacks. Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Gulf Business
12-05-2025
- Business
- Gulf Business
Proofpoint's Sumit Dhawan on why human-centric cybersecurity is key
Image: Supplied As cyber threats become more human-targeted and AI-driven, Proofpoint is expanding its footprint in the UAE. With local data centres, enhanced threat intelligence, and a growing partner network, the company is aligning closely with the region's cybersecurity priorities — at a time when 74 per cent of UAE CISOs cite human risk as their top concern. Here, we speak to CEO Sumit Dhawan about the cybersecurity challenges, opportunities and the way ahead for the company and businesses in the UAE. What do you see as the biggest cybersecurity challenge for organisations in the UAE, and how is Proofpoint addressing them? Today's cyber threats are growing in sophistication. Attackers are no longer simply targeting infrastructure — they're targeting people. This is the biggest challenge for security leaders in the region, with 74 per cent of UAE CISOs viewing human risk as their biggest cybersecurity concern. Organisations in the UAE, and globally, are facing multifaceted threats that exploit human vulnerabilities — from business email compromise (BEC) and ransomware to impersonation and supplier-related breaches. Proofpoint addresses this by protecting the human layer of cybersecurity — the intersection of people, data, and collaboration tools. Human vulnerabilities drive over 80 per cent of breaches, making this the most important layer of defense. We provide tailored solutions that combine advanced threat detection, data security and governance, automated posture management, and intuitive education tools to reduce risk at scale. Traditional, siloed controls aren't enough. Proofpoint is building the only truly adaptive human-centric security platform that protects every individual and secures their data. You're announcing significant investments in the UAE. What are you focusing on and how will this help address local cybersecurity needs? Two key needs stood out in discussions with customers and government leaders: First, there's strong demand for cloud-based security paired with data sovereignty — many local businesses need data to remain within national borders. Second, there's unanimous agreement on the importance of human-centric security as a pillar of next-generation cybersecurity alongside XDR and SASE. To meet these needs, we launched local data centres in the UAE and Saudi Arabia, offering world-class threat protection with full data sovereignty. We've also expanded our local team, opened a new office, and built a regional partner network of 550 strong. With the rise of AI and machine learning, what new threats are emerging, and how is AI being used to fight back? AI has lowered the barriers for attackers. Language models now allow cybercriminals to craft convincing, localised attacks. In 2024, the UAE saw a 29 per cent increase in BEC attacks. At the same time, AI is revolutionising cyber defense. It enables faster detection, adaptation, and prevention of threats at scale. Proofpoint's edge lies in our vast human-centric threat data — our AI learns from millions of signals to stay ahead of attackers. In 2025, we will further integrate AI advancements into our platform, strengthening our lead in proactive, adaptive How is Proofpoint helping businesses protect their data amid regulatory change and growing compliance pressure? Data is increasingly at risk due to human behaviour and digital sprawl. The rise of generative AI, multi-cloud use, and fragmented collaboration tools make it difficult for businesses to maintain visibility and context. Proofpoint's human-centric platform helps unify data security, threat protection, and compliance. Our 2024 acquisition of DSPM leader Normalyze strengthened this capability. With our solutions running through local data centres, businesses in the UAE can ensure compliance while safeguarding critical and personal data. Proofpoint CEO Sumit Dhawan with Dr Mohammed Al Kuwaiti, head of the UAE Cybersecurity Council/ Image: Supplied What's ahead for Proofpoint and how does this align with the UAE's cybersecurity vision? In 2025, our focus is clear: to cement our position as the leader in human-centric security and address growing challenges around sophisticated threats, stricter compliance, and fragmented security ecosystems. We were honoured to host Dr Mohammed Al Kuwaiti, head of the UAE Cybersecurity Council, at our Protect Tour event in Dubai. Proofpoint's mission is fully aligned with the UAE Cybersecurity Strategy — to build a secure, resilient digital future. As AI, cybersecurity, and human behavior intersect, that's where we're investing and innovating.
