According to a recent report from cybersecurity company Elevate Security and cyber security research organization Cyentia, a small group of employees are typically responsible for most of the digital cyber risks to an organization. The report also found that those putting their companies at risk from phishing, malware, and insecure browsing are often repeating these mistakes.
The reports found that four percent of employees clicked 80 percent of phishing links, and three percent were responsible for 92 percent of malware events. The good news was that four in five employees have never clicked on a phishing email, and half of those employees never saw such an email. These statistics reinforce the need to focus anti-phishing efforts on at-risk workers.
The malware that phishing and other attack vectors deliver also affects a small group of employees. The research found that 96 percent of users have never suffered from a malware event. Most malware events revolve around the three percent of users who suffered from two malware events or more, reinforcing the notion that security awareness messages are not being observed by those employees.
A small number of users are also responsible for browsing risky websites. Twelve percent of users tried to visit sites that violate their organization's browsing policy at least 750 times every year, causing security systems to block those sessions. These users accounted for 71 percent of all browsing violations.
However, in regard to the three risk areas, phishing, malware, and insecure browsing habits, the study found no strong link between those violating a company browsing policy and the number of phishing emails and malware infections. The report found nine percent of users exhibited high-risk behavior in only one category, and only 0.052 percent of users fell into the high-risk category for all three activities. "Just 3 percent of employees cause 92 percent of malware events" www.itpro.co.uk. (Mar. 09, 2022).