A small group of employees is typically responsible for most of the digital risk in an organization, according to research released today.
The report, from cybersecurity company Elevate Security and cyber security research organization Cyentia, also found that those putting their companies at risk from phishing, malware, and insecure browsing are often repeat offenders.
Leaked Nvidia certificates used to sign malware bypassing Windows detection Google uncovers Russian phishing campaign targeting Ukrainian news provider Ransomware remains the top cyber security risk for SMBs
The research found that 4% of employees clicked 80% of phishing links, and 3% were responsible for 92% of malware events.
Four in five employees have never clicked on a phishing email, according to the research. In fact, it asserts that half of them never see one, highlighting the need to focus anti-phishing efforts on at-risk workers.
The malware that phishing and other attack vectors deliver also affects a small group of employees. The research found that 96% of users have never suffered from a malware event. Most malware events revolve around the 3% of users who suffered from two malware events or more, reinforcing the notion that security awareness messages just aren't getting through to some.
A small handful of users is also responsible for browsing risky websites. 12% of users tried to visit sites that violate their organization's browsing policy at least 750 times each in a year, causing security systems to block the session. These users accounted for 71% of all browsing violations.
Improve security and compliance
Adopting an effective security and compliance risk management approach
Illicit browsers aren't always the same people responsible for phishing emails and malware. The report found 9% of users exhibiting high risk in only one category, and only 0.052% of users falling into the high-risk category for all three activities.
Companies can mitigate human error by including technical controls to block malicious emails, but performance here is mixed. Almost one in five (17%) of departments blocked no malware.
Departments were either very good or very bad at blocking phishing emails. More than half of departments block 95% of these mails, while one in ten block almost none. Those that receive the most phishing emails per year are more likely to block them.
The report found that block rates for both phishing emails and malware are not uniform within organizations. Individual departments have varying success rates at stopping digital toxins.
"Simply making controls available or even requiring them isn’t enough," the report said. "Organizations have to be willing to also measure whether those controls are doing what they are supposed to be doing."
