About us: Godrej group is a multinational enterprise with revenue greater than $4.1B, 1.1B consumers globally and with a footprint across the globe. Godrej Industries Limited and Associate Companies (GILAC) is part of the Godrej Group. Godrej Industries is one of the Godrej Group's holding companies and have significant interests in consumer goods, real estate, agriculture and Chemicals through our subsidiary and associate companies, across 18 countries.
SecurityAdvisor is a cybersecurity firm out of the Bay Area offering security awareness and automation solutions that fortify the end user through real-time and personalized security training. Godrej and SecurityAdvisor have partnered to safeguard employees from hackers.
Godrej has >10000 employees in 4 continents. We take pride in being an exemplary employer. Today, we talk about our partnership with employees leveraging SecurityAdvisor and helping them stay safe from a cyber security standpoint.
Multiple studies have shown that between 60 to 95% of cyber incidents are because of human actions. This is even more true today with the shift to remote work. The natural recourse for a CISO is to block employees from embracing technology or place arbitrary limits on their browsing. Instead of limiting our employees, Godrej aimed to improve the security posture of our organization through direct end user education and engagement. Ultimately, securing the pipes on which our employees engage with the external world interact - the web and email.
In this paper, we talk about the importance of partnering with employees to help them understand how their behavior, engagement, and culture as a user can lead to a range of security outcomes. Below you will find the 3 legs of our strategy to engage and empower employees and to measurably improve security outcomes:
When we analyzed our data to find vulnerabilities, we saw that USB devices were a top source of infections. While it is possible to block USB devices, internal employee culture is to share data and shutting down USB ports could have a negative impact on productivity. Like many CISOs, we found ourselves weighing productivity loss against security risks.
The second set of threats we discovered were from users with a higher tendency to click on adware or online phishing threats. While technology could weed out the vast majority of these threats, every cyber security tool has a “leakage rate” - a small percent of threats that go undetected. Instead, by analyzing the threats that were stopped, we learned a lot about employee behavior and saw how our end users were engaging in insecure behavior without realizing it.
The overall diagnostics gave us insight into our organization’s employee risk and what areas of behavior we needed to address. The chart below is from our diagnostic exercise
It is easy for CISOs to assume all employees are unsafe and limit innovation within an organization through highly conservative cyber security policies. But in actuality, 95% of employees are safe end users
Amongst this 5%, we found that most employees lacked the basic information they needed to stay safe.
One of the most difficult challenges when trying to improve the behavior and culture of your workforce is addressing the unresponsive and highest risk users (typically ~1% of a company). The key is to send them continuous and actionable, in-time tips and modules because a trained user tends to stop repeating incidents. Our disguised results for a specific month are below.
Celebrating outcomes and improvements in employee behavior should be an organization wide effort. Keep group companies and department heads as allies, give them periodic progress reports, and solicit their help especially in engaging with the most high risk and unresponsive users. Through celebrating the improved outcomes of your at risk end users and maintaining engagement with those at highest risk, your organization can only improve its security posture.
We need to make sure that "at-risk" users are trained
It's easy for CISOs to think cyber security is just their job, but instead, every end user can affect the overall security posture of an organization. It’s important to partner with employees to help them understand how their behavior and culture as a user can lead to a range of security outcomes.
Overall, the average employee is a safe employee. However even safe employees need regular immunization and a calendar based program to maintain secure end user behavior.
The key is to make sure strikes are uniquely targeted with personalized security coaching and can be rolled out in short bursts without consuming their time or cutting productivity.
Keep department heads informed and as allies when approaching your at-risk end users. Celebrate the outcomes of those with non-repeated incidents and double down on those that are unresponsive.
CISO, Godrej Group
CEO at SecurityAdvisor
Schedule some time to talk with one of our experts and they will show you how we can help your organization.Get a demo Today