A recent study conducted by Mimecast revealed that while the majority of employees are cautious about cybersecurity, a small subset of individuals engage in risky behaviors that pose significant challenges to organizational security. According to the report, 48% of employees have been found to partake in activities that put their organizations at risk of cyber threats, with browsing violations being the most common issue among users.
Browsing violations, which include actions such as visiting potentially harmful websites, may not directly impact security but can increase the likelihood of encountering malware or falling victim to online scams. Additionally, the study highlighted the prevalence of impersonation phishing attacks across various industries, with healthcare and education sectors being particularly vulnerable.
Interestingly, despite the high incidence of phishing emails being received by employees, Mimecast’s analysis revealed that 89% of users never clicked on any of them. However, for those who did fall for real-world phishing attempts, the click rate was approximately 12.5%. The report suggests that targeted training programs can help reduce phishing click rates by an average of 25% among susceptible users.
Furthermore, the study identified that a small percentage of users are responsible for a disproportionate number of security incidents within organizations. For example, just 1% of users accounted for 44% of all clicked phishing emails, while 5% were responsible for all malware incidents. Managers, executives, sales personnel, and board members were found to be more frequently targeted by phishing attacks due to their public profiles and higher levels of access.
In a hypothetical 1,000-person organization, the report estimates that 14 employees are likely to download or execute malware, with seven of them triggering malware on a monthly basis and four encountering malicious software weekly. Interestingly, despite receiving fewer phishing emails, lab employees were found to be the most likely to click on them, highlighting the difference between being targeted and being susceptible to trickery.
The study underscores the importance of addressing human behavior as a critical vulnerability in maintaining organizational security. Cybersecurity leaders are advised to adopt a proactive and human-centric approach to managing risk, which goes beyond traditional awareness training and focuses on driving behavioral change through targeted and continuous education and reinforcement efforts.
Overall, the findings of the Mimecast study emphasize the need for organizations to be vigilant in addressing risky behaviors among employees and to prioritize ongoing cybersecurity education and training to mitigate potential threats effectively. By fostering a culture of security awareness and proactive risk management, businesses can better safeguard against cyber threats and protect sensitive data from breaches.