The Overlooked Importance of Identifying Riskiest Users

Source: Ben3images via Alamy Stock Photo

COMMENTARY

In healthcare, the “see one, teach one, do one” model refers to an incremental learning process: Trainees first observe a procedure, then learn to teach it to others, then perform it themselves. This framework can be applied to cybersecurity by encouraging employees, especially those identified as high-risk users, to progress through a similar cycle of observation and education, followed by a combination of tool implementation and practice. This approach fosters a deep understanding of cybersecurity risks, increases tool efficiency, and empowers users to mitigate risks actively.

As organizations accumulate a growing array of cybersecurity tools, many fail to consider that their riskiest users can be the weakest link in their defenses. Reach Security’s analysis reveals that 80% to 90% of threats relate to just 3% to 5% of the organization’s user population. This is further complicated if you consider that roughly 20% of the users in a company’s most attacked group change monthly.

These users, whether high-profile executives, employees with privileged access, or those who engage in risky behavior, have the potential to cause significant damage, either through negligence or intentional actions.

By focusing on high-risk individuals, organizations can address the root causes of many cybersecurity threats, allowing them to allocate resources more effectively and reduce reliance on sprawling security tools that attempt to protect everyone equally.

When it comes to managing the riskiest users, the “see one, teach one, do one” methodology can guide a more human-centered approach to cybersecurity. This model can be applied to not only help users understand the risks they face but also enable them to become advocates for cybersecurity within the organization. It also it reduces overall risk and tool sprawl.

See One: Observation and Awareness

The first stage of the process is to identify the most attacked people (MAP), which can be done using a solution that provides visibility into the data that teams already have in place. For instance, syncing the central record of identity (e.g. Active Directory, Azure Active Directory, Google Workspace, Okta) can uncover high-risk user data.

Once these high-risk users — such as CEOs, senior executives, and IT personnel with elevated privileges — are identified, security teams can provide personalized demonstrations of how they might be targeted, showcasing real-world examples, such as phishing emails tailored to executives or potential data breaches from insecure networks. In addition, executives can observe how inadequate use of multifactor authentication (MFA) or improper handling of sensitive data can increase their exposure to threats.

The “see one” stage is crucial for both identifying the MAP and helping those users gain a baseline awareness of the specific threats they face.

Teach One: Educating Others

In the second phase, high-risk users transition from observers to educators. The “teach one” phase helps break down silos within an organization by fostering a shared responsibility for cybersecurity. For instance, an executive who has learned the dangers of targeted phishing can then relay that information to their team, strengthening collective awareness.

Teaching cybersecurity concepts to others creates a ripple effect, reducing the reliance on technical tools by embedding good security practices into the organization’s daily behavior.

Do One: Practice and Implementation

Finally, the “do one” phase focuses on real-world application. Organizations face the dual challenge of pinpointing high-risk users and integrating data from multiple security tools to monitor these risks over time. This can be further complicated by the necessity to continuously update and enhance security measures across the enterprise to stay ahead of evolving threats. With continuous monitoring, teams can better identify and track shifts in the threat landscape, ensuring that those in the MAP are always under watch. Finally, putting forth a holistic security strategy that is both user- and device-aware will ensure that protective measures are as personalized and effective as possible.

Knowing where risk lives introduces an ability to focus. An ability to focus allows teams to see the biggest impact on the smallest number of folks. From there that focus group learns and teaches. Once they have knowledge, they’re open to ways in which they can be protected — and can use the security controls in the most efficient ways possible.

A Different Approach to Risk-Based Management

Managing human-based cybersecurity risk requires a shift toward a more focused strategy that considers the riskiest users in your organizations. By identifying and supporting the riskiest users with the “see one, teach one, do one” model, organizations can reduce vulnerabilities where they matter most.

About the Author

CEO & Co-Founder, Reach Security

Garrett’s career has included leadership roles in SaaS Product Management, plus Go-To-Market at industry leaders like Palo Alto Networks, as well as hands-on threat analysis, training, & consulting at firms including HBGary. While at Palo Alto Networks, Garrett was responsible for the WildFire product supporting its growth from launch to more than 60,000 customers.