High-risk users may be few, but the threat they pose is huge
High-risk users represent approximately 10% of the worker population and are found in every department and function of the organization, according to Elevate Security research.
High-risk users represent a sizable threat to the organization
Additionally, the study made several unexpected discoveries including:
- Contractors are typically less likely to be a high risk than employees
- Simulated phishing is not a good indicator of who is a high risk for real phishing attacks
This latter finding may be particularly impactful. Many traditional approaches to reducing user risk rely on simulated phishing tests as the primary factor in identifying potentially risky users, a premise that this study has now debunked.
While they make up a small percentage of the population, high-risk users represent a sizable threat to the organization. The study found that high risk users are responsible for:
- 41% of all simulated phishing clicks
- 30% of all real-world phishing clicks
- 54% of all secure-browsing incidents
- 42% of all malware events
Some areas of organizations pose higher risk than others
High-risk users were found throughout the organization, with some departments including customer service, R&D, and data analysis having more high-risk users than others.
Additionally, the study found that managers are about 40% more likely to be high-risk than individual contributors.
“User risk-driven incidents are getting worse. It’s critical for us to understand which users need more protection and to give them specific protections for the risks they run,” said Masha Sedova, Elevate president. “Over the last six months, we’ve seen attackers target engineers with very sophisticated multi-phase social engineering campaigns at a 2.5x higher rate than they had previously. I don’t think I’m going on a limb here by saying adversaries know our people, and their weaknesses, better than we do.”
“Adding human risk to our security calculus eliminates implicit trust, continuously validates digital interactions, and provides transparent and measurable feedback to reduce security gaps over time,” said Luke Simonetti, VP, Cyber Strategy Solutions at Booz Allen Hamilton. “We believe the Dynamic Cyber Trust model leads to continuously increased levels of security in the face of evolving threats.”
“Risk is not uniformly distributed among organizations, that much is clear from the results of our research. In fact, some users represent orders of magnitude more risk than others,” said Cyentia Institute Partner and Data Scientist, Ben Edwards. “Understanding and applying these distinctions will lead to significant improvements in organizational security.”