Mimecast helps e-recruiting business, StepStone, to stop 70 percent of phishing attacks

StepStone uses new safety system and cybersecurity awareness training to reduce phishing and impersonation emails.

  • Thursday, 23rd September 2021 Posted 3 years ago in by Phil Alsop

The e-recruiting business, Stepstone, has used Mimecast to strengthen its defences against a surge in email attacks. Prior to using Mimecast, StepStone employees previously received over 10 spear phishing emails a month. With a new safety system and training of employees provided by Mimecast, the company has today reduced that number to an average of just 2.5.

StepStone reached out to Mimecast after its job portal nearly fell victim to an impersonation attack. Impersonation attacks are particularly malicious because the criminals pretend to be employees of the company, with the aim of gaining access to company data and systems. According to Mimecast's State of the E-Mail Security Report , 47 percent of companies surveyed stated that the number of impersonation attacks carried out via e-mail has increased in the past year.

Building a human firewall

StepStone receives around 10 million emails a month and previously 70 to 75 percent of these were infected and dangerous. Before working with Mimecast, these emails were passing through the company’s security system and reaching employees. Mimecast worked with StepStone to provide a comprehensive security strategy. From a technical perspective, the email security specialist provided solutions in the areas of web security, archiving and internal e-mail protect (IEP).

On top of this, Mimecast helped StepStone to build a so-called human firewall, using a bespoke training programme designed to minimise human error. By focusing on raising awareness and cyber-hygeine, StepStone has enabled its employees to better understand a threat situation, as well as recognising and reporting dangerous e-mails before major damage occurs.

Serge Groven, Corporate IT Manager at StepStone, added: “Mimecast offered the exact mix we were looking for, combining traditional methods with advanced technology, as well as on-demand support and a quick implementation and rollout period. The extra visibility is also a huge benefit. With Office 365, conducting any forensics, spot checks or investigations is a very slow process. With Mimecast, you get nearly instant results and that’s making our IT staff more productive. When something is quick and easy, it makes us better as a team. We’re not fighting against the system.”

Making cybersecurity awareness training fun

 

To make the cybersecurity awareness training more engaging for Stepstone employees, Mimecast made the interactive videos fun and humorous. The scripts are written by well-known comedy writers from the television and film world, whilst professionals from the entertainment industry produce the videos. Each training video revolves around a relevant safety topic and lasts between three and five minutes. 

 

Groven added: “The awareness training videos are short, entertaining and convey clear messages that stick. The videos are reminiscent of a good TV entertainment show with recognizable characters. We actually experience that our employees ask when the next 'episode' will appear. Today we experience far fewer email threats. Just a month after implementing the new security solution, we saw an enormous decrease in spear phishing emails, and we are still noticing that today."

 

The neuroscientist Dr. Daniel Glaser, said: "Why would you use humour in corporate training around cyber-security? The way we learn and recall information suggests this is a good idea. Our brains are always on the lookout for the unexpected - there is a particular signature in the brain for 'oddball’ stimuli - and comedy elements in the presentation of email security protocols immediately grab our attention.

 

Glaser continued: “Making things funny produces a richer set of associations when you’re forming new memories. The memories we form are holistic and can include the emotion (and smells and sounds) that were present when we first encountered the content. So if humour is intrinsic to the security message, it gets rolled into a more distinctive package that makes it more likely that you’ll successfully retrieve it when you need to. There’s nothing funny about a ransomware attack - but this approach to training can help to keep a smile on your face."