Just 3% of employees cause 92% of malware events
Staff putting their companies at risk from phishing, malware, and insecure browsing are often repeat offenders
A small group of employees is typically responsible for most of the digital risk in an organization, according to research released today.
The report, from cybersecurity company Elevate Security and cyber security research organization Cyentia, also found that those putting their companies at risk from phishing, malware, and insecure browsing are often repeat offenders.
The research found that 4% of employees clicked 80% of phishing links, and 3% were responsible for 92% of malware events.
Four in five employees have never clicked on a phishing email, according to the research. In fact, it asserts that half of them never see one, highlighting the need to focus anti-phishing efforts on at-risk workers.
The malware that phishing and other attack vectors deliver also affects a small group of employees. The research found that 96% of users have never suffered from a malware event. Most malware events revolve around the 3% of users who suffered from two malware events or more, reinforcing the notion that security awareness messages just aren't getting through to some.
A small handful of users is also responsible for browsing risky websites. 12% of users tried to visit sites that violate their organization's browsing policy at least 750 times each in a year, causing security systems to block the session. These users accounted for 71% of all browsing violations.
Improve security and compliance
Adopting an effective security and compliance risk management approachFree Download
Illicit browsers aren't always the same people responsible for phishing emails and malware. The report found 9% of users exhibiting high risk in only one category, and only 0.052% of users falling into the high-risk category for all three activities.
Companies can mitigate human error by including technical controls to block malicious emails, but performance here is mixed. Almost one in five (17%) of departments blocked no malware.
Departments were either very good or very bad at blocking phishing emails. More than half of departments block 95% of these mails, while one in ten block almost none. Those that receive the most phishing emails per year are more likely to block them.
The report found that block rates for both phishing emails and malware are not uniform within organizations. Individual departments have varying success rates at stopping digital toxins.
"Simply making controls available or even requiring them isn’t enough," the report said. "Organizations have to be willing to also measure whether those controls are doing what they are supposed to be doing."
Four strategies for building a hybrid workplace that works
All indications are that the future of work is hybrid, if it's not here alreadyFree webinar
The digital marketer’s guide to contextual insights and trends
How to use contextual intelligence to uncover new insights and inform strategiesFree Download
Ransomware and Microsoft 365 for business
What you need to know about reducing ransomware riskFree Download
Building a modern strategy for analytics and machine learning success
Turning into business valueFree Download