Keep the momentum going. Explore more insights to move your business forward.
Cybersecurity isn’t just about firewalls and encryption anymore—it’s about people. Every click, every email, every interaction can open the door to risk. In fact, employees spend an average of 11 hours a week in email, making them prime targets for sophisticated social engineering attacks. The reality? Your greatest vulnerability isn’t your tech stack—it’s human behavior.
In this video, RapidScale AVP of Sales Bob Buchanan teams up with Brandon Reid, Field CTO at Mimecast, to unpack why human risk management is now the frontline of cyber resiliency. From multi-channel attacks to AI-driven threats, discover how organizations can measure, empower, and protect their workforce to stay ahead of evolving risks. Watch now and learn practical steps to strengthen your security posture today.
Additional resources to take with you on your cyber resiliency journey:
Video Transcript
Bob Buchanan, RapidScale: Did you know that each of your employees spends 11 hours every week in email? This opens your organization to tremendous risk to your employees that may fall victim to a social engineering attack.
Hi, my name is Bob Buchanan. I'm the AVP of Sales here at RapidScale, a managed cloud provider. Today, we're diving into one of the most pressing challenges in cybersecurity: the human element.
As the threat landscape evolves, it's no longer just about protecting your infrastructure. It's about protecting your data from human errors. We're fortunate enough to have Brandon Reid, a Field CTO at Mimecast, one of RapidScale's most trusted security partners.
Brandon Reid, Mimecast: Hey, Bob, it's great to be here. I'm really excited to dive into human risk management and talk to you a little bit about how it's shaping cybersecurity today.
BB: Awesome. Brandon, Mimecast and RapidScale have enjoyed a great partnership for many, many years. For RapidScale, the security of our clients' tech stack is our top priority, and Mimecast is one of the best in breed partners in helping fulfill that mission.
Brandon, before we dive in, can you give us a quick overview of how Mimecast's mission has evolved from email security to human risk management?
BR: Yeah, absolutely. So Bob, email is still the number one attack vector today that bad actors are using. But over time we've seen that those attackers have been shifting their tactics, targeting people, not just systems. So Mimecast has evolved our solution and our portfolio to include human risk management, which is about understanding how people interact with technology and where those interactions create vulnerabilities. It's the natural next step in cybersecurity.
BB: So, fascinating insight, Brandon and I must say, terrifying. Why is human risk management becoming so prevalent right now?
BR: That's a great question. You know, there's a few reasons. First, it's because traditional training, like phishing simulations, just aren't cutting it anymore. Hackers are using more sophisticated, multi-channel attacks that are harder to spot for the average employee. And people are unpredictable. You can lock down your tech stack, but if an employee clicks the wrong link or shares sensitive data in a chat, your defenses are compromised. That's why we need to focus on the human layer.
BB: Yeah. You know what? That makes sense and I've always known Mimecast and thought of Mimecast as it relates to email, but it's not just about email. What kind of channels are attackers using that make this even more complex than ever?
BR: We're seeing multiple different methods being used. Uh, we're seeing attacks that come through phone calls after an email's been sent. We see text messages, we see Teams, Slack, and even fake IT portals used. It's impersonation, manipulation, and timing, all used together at the weakest point. And that's why visibility and education across all communication channels is really so critical today.
BB: So if we think about the real world here, I've heard a few stories in the news about serious social engineering campaigns that are tricking not just, um, you know, maybe a naive employee, but the smartest of individuals. Can you maybe dive a little bit deeper into that?
BR: What we're seeing a lot lately is multi-channel social engineering attacks. So you can think of these attacks like a web. Attackers use multiple touchpoints to confuse and manipulate the targeted end user. So for example, they may flood an employee's inbox with spam, then they call that employee pretending to be their IT support, offering them help with the spam. And before you know it, that employee is giving the bad actor access to their credentials. It's coordinated, it's convincing, and it's designed to exploit human trust. That's why we need to train employees to recognize patterns, not just individual threat components.
BB: Yeah, wild stuff. So it's phone calls, Teams messages, and even impersonation on fake IT support.
BR: Exactly, and let me share some real life examples. First up is Kettering Health. They're a hospital provider based in Ohio that was recently hit with a ransomware attack that totally disrupted patient care. The likely entry point was a phishing email or compromised employee credentials. With stronger training and better visibility into employee behavior, this kind of breach could have been stopped in its tracks.
BB: Yeah. Very scary scenario, especially with patient data and healthcare. But what other industries are we talking about?
BR: Well, the FBI recently issued a warning about a group called Scattered Spider, targeting major airlines. These attackers impersonate IT staff and trick employees into handing over access to internal systems. No malware, just pure manipulation. It's a reminder that your people are both your greatest asset and your biggest risk.
BB: I bet we both could comment on one in the hospitality arena.
BR: Yeah. MGM resorts, last year, 2024, right after Black Hat. That breach started with a simple phone call. An attacker impersonated an employee, got access to their systems, and the result was a, you know, $45 million class action lawsuit that could have been prevented, again, with human risk management.
BB: So for organizations that might be listening in today, in your professional opinion, what should they be focused on to make sure none of these situations impact them?
BR: Every business needs to think about 3 things. Their ability to measure risk, their ability to then empower the users based on the risk scoring and the measurable risk of the employees, and then their ability to protect the business. And these three things relate back not to just their security, but their employees. They all work together. If you can measure, you can empower, and then you can adapt your protections as needed to meet the risk.
For example, let's take artificial intelligence. It's a challenging threat. But at Mimecast, we're using AI to be more resilient. We're using it to detect anomalies, to flag risky behavior, and guide users in real time to make the right decisions.
Now, let's face it. Your employees are using AI tools, whether your business has approved them or not. Mimecast helps you to leverage those AI tools and keep your data safe. It's not about stopping AI use, it's about empowering your employees to be smart about it and use it in the right ways and use those AI tools that you want them to be using.
Then third, there's resource imbalances. Here's some data to paint the picture. On average, about 8% of a company's employees account for 80% of their cyber risk. We were able to gather this information through our customers and our tools. So what does that mean? Well, it means that your security team is spending a disproportionate amount of time managing incidents caused by a small fraction of users.
To keep your business protected, you need to measure your employees so that you have the visibility that you need to make smart security decisions and protect your business. Mimecast can help organizations build a strong security posture using this methodology I've mentioned, which is measure, empower, and protect.
BB: Yeah, that's a really solid framework. And I guess to summarize, it's not just about locking everything down. It's about managing risk in a practical way that still allows the worker to do their job effectively.
Brandon, thank you. And to our listeners, if today's conversation sparked some ideas about your security posture, now is the time to act. This is not a future problem. It is definitely a today problem in every industry. Together, RapidScale and Mimecast are here to help you. Make sure you get the infographic on the State of Human Risk Management linked below. If you have any questions, head to the Contact Us page, also linked below, and get in touch with our respective teams. See you next time.