3% of Users Responsible for 92% of Breaches

2016 to 2021   

‘The Size and Shape of Workforce Risk’ report, conducted on data provided to the Cyentia Institute by Elevate Security, included events starting in January 2016 through December 2021, and took into account 15.1m unique events associated with 168k users spread across more than 3.8k organisational departments.   

Key Findings   

Some startling key findings of the report were that:   

• 4 per cent of users are responsible for 80 per cent of phishing incidents, some clicking as often as twice a month.
• 3 per cent of users are responsible for 92 per cent of malware events.
• 1 per cent of users will average an incident every other week.
• 12 per cent of users are responsible for 71 per cent of secure browsing incidents.
• 1 per cent will trigger 200 events per week.   

What is a Risky User, and why are They Risky?  

As identified by the stats in the report, the risky users are those small percentages who cause security incidents, sometimes repeatedly. For example, where phishing emails are concerned, just over half of users never receive phishing emails but some users may simply receive a lot more phishing emails than others (100s per year vs. a few). This doesn’t necessarily make them risky because for the phishing emails that aren’t blocked in the first place, most users (75 per cent) click on phishing emails less than 10 per cent of the time. The Cyentia report, however, says that there is a small group (3.9 per cent of users) who have clicked 3 or more phishing emails and who account for 80 per cent of all phishing clicks. Within this group is the 1 per cent who click more than 52 a year – once a week. As the report suggests, these are the risky users.  

Also, according to the report, where malware is concerned, although 94 per cent of users never encounter malware, some experience it weekly. Out of these users, 10 per cent average more than 11 events per year, with 1 per cent as high as 27 events per year. These are the high-risk user for malware.  

Similarly, where browsing is concerned, only a small percentage of users account for most of the secure browsing events – i.e. 12 per cent cause 71 per cent of the events. 

What to do

Elevate’s report recommends several ways that businesses and organisations can minimise the security risk caused by risky users. These are:   

• Start measuring to identify which users pose an outsized risk
• Check the efficacy of controls – i.e. check how many phishing emails are getting through the filters, how uniformly AV software is installed, and make sure the controls are not just in place but are working properly for everyone.
• Identify risky users. Identify who’s generating the majority of security events and understand the reasons – e.g. a user may be an outsized target for attackers or someone who has slipped through the security controls or both. Also, consider checking the browsing history of a “click-happy user”.
• Start monitoring and helping the risky users. This could be done by setting up ‘guardrails’ and focused controls.  

What Does This Mean For Your Business?  

This report emphasises how important it is to have blocking measures and controls in place, with employee cyber security training in the first place to stop the vast majority of phishing emails and malware (for example) from getting through. It also shows that a disproportionally small number of users may be responsible for most of the risk, but these will not be identified unless the business measures and monitors to find out who they are. The suggestion here is that, rather than subjecting all users to the same level/type of treatment, companies can put more effort into identifying the riskiest users and concentrate more help on them. This could be a smarter and more efficient way for companies to boost security.

For IT support or advice, please call Paradise Computing on 01604 655900 or send us a message using our online contact form.