A report by Security Company ‘Elevate’ has revealed that 3 per cent of users are responsible for 92 per cent of malware events for businesses, indicating that a small number of users create the most risk.
2016 to 2021
‘The Size and Shape of Workforce Risk’ report, conducted on data provided to the Cyentia Institute by Elevate Security, included events starting in January 2016 through December 2021, and took into account 15.1m unique events associated with 168k users spread across more than 3.8k organisational departments.
Some startling key findings of the report were that:
- 4 per cent of users are responsible for 80 per cent of phishing incidents, some clicking as often as twice a month.
- 3 per cent of users are responsible for 92 per cent of malware events.
- 1 per cent of users will average an incident every other week.
- 12 per cent of users are responsible for 71 per cent of secure browsing incidents.
- 1 per cent will trigger 200 events per week.
What Is A Risky User, and Why Are They Risky?
As identified by the stats in the report, the risky users are those small percentages who cause security incidents, sometimes repeatedly. For example, where phishing emails are concerned, just over half of users never receive phishing emails but some users may simply receive a lot more phishing emails than others (100s per year vs. a few). This doesn’t necessarily make them risky because for the phishing emails that aren’t blocked in the first place, most users (75 per cent) click on phishing emails less than 10 per cent of the time. The Cyentia report, however, says that there is a small group (3.9 per cent of users) who have clicked 3 or more phishing emails and who account for 80 per cent of all phishing clicks. Within this group is the 1 per cent who click more than 52 a year – once a week. As the report suggests, these are the risky users.
Also, according to the report, where malware is concerned, although 94 per cent of users never encounter malware, some experience it weekly. Out of these users, 10 per cent average more than 11 events per year, with 1 per cent as high as 27 events per year. These are the high-risk user for malware.
Similarly, where browsing is concerned, only a small percentage of users account for most of the secure browsing events – i.e. 12 per cent cause 71 per cent of the events.
What To Do
Elevate’s report recommends several ways that businesses and organisations can minimise the security risk caused by risky users. These are:
- Start measuring to identify which users pose an outsized risk. The biggest vulnerability for any business network is the employees using it. Phishing is by far the most common attack vector yet the NCSC reports only 14% of staff have received training. An attack simulation phishing email can be sent to employees. This is done not to catch people out but to measure the level of vulnerability to the business and identify those who need additional training.
- Check the efficacy of controls – i.e. check how many phishing emails are getting through the filters, how uniformly AV software is installed, and make sure the controls are not just in place but are working properly for everyone.
- Identify who’s generating the majority of security events and understand the reasons – e.g. a user may be an outsized target for attackers or someone who has slipped through the security controls, or both. Also, consider checking the browsing history of a “click-happy user”. If needed implement an internet policy and control any misuse, or ban personal use all together.
- Start monitoring and helping the risky users. This could be done by setting up ‘guardrails’ and focused controls and providing additional cyber security training.
What Does This Mean For Your Business?
This report emphasises how important it is to have blocking measures and controls in place, with employee cyber security training in the first place to stop the vast majority of phishing emails and malware (for example) from getting through. It also shows that a disproportionally small number of users may be responsible for most of the risk, but these will not be identified unless the business measures and monitors to find out who they are. The suggestion here is that, rather than subjecting all users to the same level/type of treatment, companies can put more effort into identifying the riskiest users and concentrate more help on them. This could be a smarter and more efficient way for companies to boost security.
If you would like to discuss your technology requirements please:
Back to Tech News