Security Experts:

Bridging the Gap Between Training and Behavior

While employees want to do the right thing when it comes to protecting their organization from cyber threats, we cannot expect them to be perfect

As we start off 2022, companies continue to be victimized by threat actors and ransomware gangs. These losses can threaten the continuity of a business, especially for small and medium sized enterprises who simply cannot afford ransomware incidents that cost six or seven figures to remediate. Meanwhile, the sophistication of threat actors’ techniques continues to increase.

While the cybersecurity community has done a great job of making employee training more realistic and effective through simulated phishing programs and interactive training, there remains a large gap between well trained employees and the overall security posture of an organization.

On any given day, a crafty phishing or socially engineered business email compromise can turn a well trained worker into a victim. To supplement cyber training, organizations should consider implementing a balanced approach that combines training with Zero Trust policies that enforce least privilege so employees only have access to the resources they need to perform their jobs.  

Here are several easy to implement techniques that any size organization can use to apply this approach:

Zero Trust Browsing  

According to, 64% of all employees visit non-work related sites every day. Putting aside productivity concerns, employees that access websites for personal reasons can introduce malicious files or click on links that can corrupt their machine or the corporate network. 

A healthy work environment allows employees the freedom to take some personal time, but not at the expense of exposing the organization to a cyber attack. Zero Trust remote browsing enables this level of freedom while also protecting the corporate network from malware. By utilizing this approach, employees can browse with relatively few constraints yet have a backstop if they navigate to a site or click on a link that turns out to be nefarious.   

Zero Trust browsing is easy to implement with solutions that force a containerized virtual machine (VM) session in the cloud for any non-trusted internet activity, such as accessing personal email or non-trusted websites. A protocol of scanning attachments for malware before download to the local machine is also an essential piece of hygiene. These approaches allow for a more resilient cyber approach to security threats that employees can introduce in their daily workflow.   

Zero Trust Application Management 

In addition to web browsing, all employees have to access externally accessible work related resources such as finance/HR systems, CRM, and other tools to perform their job functions. These applications should be seamlessly accessible from any device, but they can still create attack vectors for exploitation and privilege escalation. 

The bottom line is that browsing activity is an essential part of business and a key vector that can be exploited. For this reason, workplace applications should be accessed in a containerized cloud environment. 

While employees want to do the right thing when it comes to protecting their organization from cyber threats, we cannot expect them to be perfect. A Zero Trust safety approach to web browsing and application access management provides guardrails that allows enterprises to stay one step ahead of threat actors.

view counter
Gordon Lawson is CEO of Conceal, a company that uses Zero Trust isolation technology to defend against sophisticated cyber threats, malware and ransomware at the edge. Previously, he served as president at RangeForce Inc. Gordon has nearly two decades of experience in the security sector with a focus on SaaS optimization and global enterprise business development from global companies including Reversing Labs, Cofense (formerly PhishMe) and Pictometry. As a naval officer, Gordon conducted operational deployments to the Arabian Gulf and Horn of Africa, as well as assignments with the Defense Intelligence Agency, US Marine Corps, and Special Operations Command. He is a graduate of the US Naval Academy and holds an MBA from George Washington University.