If there is a single common factor for most security breaches, it’s because people are involved. Humans are the reason for insecure passwords, lost secrets, and compromised data if only because humans have trouble remembering the details of security. While there are technical causes for many breaches, even there it’s often the human factor that ultimately leads to the technical weakness. Dealing with the human factor is where Right-Hand Cybersecurity comes in.
The company has built a “human risk management platform” to “help organizations measure which employees are the most breach prone, and then provide targeted nudges and micro modular training to help employees reduce their risk,” says Theo Nasser, Co-Founder and CEO of Right-Hand Cybersecurity.
Aside from the significant financial losses that come from these incidents, one lesson has become increasingly clear: people remain the weakest link in the chain of cybersecurity systems. The vast majority of cyber-attacks are caused by human error (such as clicking on a phishing link), using a found USB flash drive, or careless behaviour (such as sharing sensitive information outside of a company’s network).
Nasser said that by aggregating user data from its existing suite of cybersecurity tools the company creates a list of vectors of network vulnerability. In turn, Right-Hand’s system considers the components of users’ risk scores to provide highly individualized training materials to correct behaviours in real-time rather than, say, once per quarter.
Cyber breaches and attacks against major organizations have become a common feature in today’s IT industry. For example, the WannaCry hacks in 2017, the Colonial Pipeline ransomware attack in 2021, and the ransomware attack against the San Francisco 49ers in 2022 are just a few of many that involve mistakes made by people charged with securing those networks.
However, many mainstream vendors designing the newest and most sophisticated cybersecurity tools remain strongly focused on the technical vulnerabilities that are often vectors for ransomware and other devastating attacks, but not always paying attention to the human factor.
“We're delivering training in real time, to an individual, based on what they need to know, when they need to know it, and why,” Nasser says. “It's alert-based training; it's behaviour based training, and it’s meant to complement a company’s compliance.”
Right-Hand’s training modules range from helping users generate strong passwords to recognizing phishing attacks or characteristics of spoofing webpages, among many others, with the goal of simulating real-life scenarios and providing experiential and adaptive learning. In addition, Right-Hand’s backend technology integrates AI to interpret behaviours and select tailored learning materials that are most appropriate for a given user.
“Every single employee receives a learning journey and a learning curriculum on cybersecurity best practices based on their very specific risks they exhibit,” says Nasser. “We provide tons of content across all different topics. It's basically a blend of the learning management system combined with a very gamified experience where we incorporate AI to deliver bespoke learning that’s personalized to every single user's needs. So instead of your one size fits all training, we're able to deliver personalized user-based training at scale.”
Nasser’s company is being used in highly regulated industries, such as banking and utilities, as well as verticals involving large networks such as education. These sectors, Nasser says, require “more than just checking the box” when it comes to cybersecurity training.
Nasser and his team at Right-Hand are leading cybersecurity professionals in an often overlooked direction – one that is focused on the human dimension of risk, and ways to change the behaviours that are often the biggest factor in major attacks.