Partnering with employees to measurably reduce cyber risk! Blog

Godrej

Background

About us: Godrej group is a multinational enterprise with revenue greater than $4.1B, 1.1B consumers globally and with a footprint across the globe. Godrej Industries Limited and Associate Companies (GILAC) is part of the Godrej Group. Godrej Industries is one of the Godrej Group's holding companies and have significant interests in consumer goods, real estate, agriculture and Chemicals through our subsidiary and associate companies, across 18 countries.


SecurityAdvisor is a cybersecurity firm out of the Bay Area offering security awareness and automation solutions that fortify the end user through real-time and personalized security training. Godrej and SecurityAdvisor have partnered to safeguard employees from hackers.



TODAY'S FOCUS: PARTNERING WITH THE WORKFORCE TO DELIVER SECURITY OUTCOMES


Godrej has >10000 employees in 4 continents. We take pride in being an exemplary employer. Today, we talk about our partnership with employees leveraging SecurityAdvisor and helping them stay safe from a cyber security standpoint.


Multiple studies have shown that between 60 to 95% of cyber incidents are because of human actions. This is even more true today with the shift to remote work. The natural recourse for a CISO is to block employees from embracing technology or place arbitrary limits on their browsing. Instead of limiting our employees, Godrej aimed to improve the security posture of our organization through direct end user education and engagement. Ultimately, securing the pipes on which our employees engage with the external world interact - the web and email.


In this paper, we talk about the importance of partnering with employees to help them understand how their behavior, engagement, and culture as a user can lead to a range of security outcomes. Below you will find the 3 legs of our strategy to engage and empower employees and to measurably improve security outcomes:


Phase1

Diagnostics

Phase2

Surgical Strikes

Phase3

Celebrate Outcomes

Phase 1

DIAGNOSTICS


Godrej has an established, rich technology ecosystem with a treasure trove of data to diagnose.


When we analyzed our data to find vulnerabilities, we saw that USB devices were a top source of infections. While it is possible to block USB devices, internal employee culture is to share data and shutting down USB ports could have a negative impact on productivity. Like many CISOs, we found ourselves weighing productivity loss against security risks.


The second set of threats we discovered were from users with a higher tendency to click on adware or online phishing threats. While technology could weed out the vast majority of these threats, every cyber security tool has a “leakage rate” - a small percent of threats that go undetected. Instead, by analyzing the threats that were stopped, we learned a lot about employee behavior and saw how our end users were engaging in insecure behavior without realizing it.


The overall diagnostics gave us insight into our organization’s employee risk and what areas of behavior we needed to address. The chart below is from our diagnostic exercise

March Endpoint Security incidents by type

March Endpoint Security incidents by type

Phase 2

SURGICAL STRIKES


It is easy for CISOs to assume all employees are unsafe and limit innovation within an organization through highly conservative cyber security policies. But in actuality, 95% of employees are safe end users


Through our diagnostics process, we were able to identify the 5% of employees who were susceptible to cyber risk.


Amongst this 5%, we found that most employees lacked the basic information they needed to stay safe.


To engage our higher risk users, we sent surgical strike email campaigns promoting specific best practices and offered personalized security coaching in order to safeguard themselves and the entire organization.


One of the most difficult challenges when trying to improve the behavior and culture of your workforce is addressing the unresponsive and highest risk users (typically ~1% of a company). The key is to send them continuous and actionable, in-time tips and modules because a trained user tends to stop repeating incidents. Our disguised results for a specific month are below.

Illustrative results for March 2020

Illustrative results for March 2020

Phase 3

CELEBRATE OUTCOMES


Celebrating outcomes and improvements in employee behavior should be an organization wide effort. Keep group companies and department heads as allies, give them periodic progress reports, and solicit their help especially in engaging with the most high risk and unresponsive users. Through celebrating the improved outcomes of your at risk end users and maintaining engagement with those at highest risk, your organization can only improve its security posture.


No of USB related incidents/ worms

No of USB related
              incidents/ worms

Distribution of repeat users

Distribution of
              repeat users

We need to make sure that "at-risk" users are trained


Conclusion


It's easy for CISOs to think cyber security is just their job, but instead, every end user can affect the overall security posture of an organization. It’s important to partner with employees to help them understand how their behavior and culture as a user can lead to a range of security outcomes.


Godrej, by leveraging our partnership with SecurityAdvisor, was able to improve our security posture by:

1

Diagnosing the biggest areas of insecurity among our end users


Overall, the average employee is a safe employee. However even safe employees need regular immunization and a calendar based program to maintain secure end user behavior.

2

Ensuring employees are targeted with unique surgical strikes in areas where they are making repeat cyber security errors


The key is to make sure strikes are uniquely targeted with personalized security coaching and can be rolled out in short bursts without consuming their time or cutting productivity.

3

Celebrating the outcomes of end users with the entire organization.


Keep department heads informed and as allies when approaching your at-risk end users. Celebrate the outcomes of those with non-repeated incidents and double down on those that are unresponsive.



AUTHORS
  • Author
    Satyavrat Mishra

    CISO, Godrej Group

  • Author
    Sai Venkataraman

    CEO at SecurityAdvisor

Published on : April 20th, 2020

Learn how SecurityAdvisor can help your team

Schedule some time to talk with one of our experts and they will show you how we can help your organization.

Get a demo Today