10% of Employees Cause Most Cybersecurity Risks
▼ Summary
– A small group (10% of users) accounts for 73% of risky cybersecurity behavior, challenging conventional assumptions about risk sources.
– Remote and part-time workers are often less risky than full-time office employees, with 78% of users reducing cyber risk more than they contribute.
– Human risk extends beyond phishing to include identity, access, behavior, and external threats, requiring broader visibility and mitigation strategies.
– Organizations detect only 43% of risky behaviors on average, with those relying solely on Security Awareness Training detecting just 12%.
– Executives and tenured employees show elevated chaotic risky behavior, while regulated industries like finance and healthcare exhibit better risk visibility and vigilance.
A small fraction of employees account for the majority of cybersecurity threats within organizations, according to new research. A joint study by Living Security and the Cyentia Institute reveals that just 10% of users are responsible for nearly three-quarters of risky security behaviors, challenging common assumptions about workplace vulnerabilities.
The findings, based on data from more than 100 companies, show that full-time office employees often pose greater risks than remote or part-time workers. Surprisingly, 78% of staff actively contribute to reducing cyber threats, demonstrating that most employees follow security best practices like reporting phishing attempts and using multi-factor authentication.
Traditional phishing-focused training misses the bigger picture. The report highlights that human risk extends beyond malicious links to include poor password habits, unauthorized access attempts, and external targeting by cybercriminals. Even factors outside an employee’s control, such as being singled out in a malware campaign, play a role in their overall risk profile.
Lack of visibility remains a major obstacle. Companies detect only 43% of risky behaviors on average, with those relying solely on basic security awareness training catching a mere 12%. Even organizations with advanced monitoring systems identify just 19% of human-related threats, exposing a significant gap in detection capabilities.
Employees were categorized using a behavior-based alignment system, similar to role-playing games. While most fell into the “vigilant” category, the 8% labeled as “chaotic risky” stood out due to their unpredictable actions and high exposure to threats. These individuals require targeted intervention, such as stricter access controls or additional training.
Common myths about high-risk workers were debunked. Contrary to expectations, contractors and remote employees were less likely to engage in risky behavior than their in-office counterparts. Executives and long-tenured staff, despite often championing security policies, also exhibited higher-than-average chaotic tendencies.
Industry-specific trends emerged as well. Business services firms had the highest proportion of chaotic risky users and the poorest visibility into employee activities. Meanwhile, heavily regulated sectors like finance and healthcare demonstrated stronger oversight and more security-conscious workforces.
The study underscores the need for comprehensive risk assessment tools and proactive mitigation strategies rather than relying solely on training programs. By focusing on high-risk individuals and improving detection methods, organizations can significantly reduce their exposure to preventable threats.
(Source: HelpNet Security)
