Understanding employees’ motivations behind risky actions

More 68% of employees knowingly put their organizations at risk, potentially leading to ransomware or malware infections, data breaches, or financial loss, according to Proofpoint.

Perception on security responsibility

And while the incidence of successful phishing attacks has slightly declined (71% of surveyed organizations experienced at least one successful attack in 2023 versus 84% the previous year), the negative consequences have soared: a 144% increase in reports of financial penalties, such as regulatory fines, and a 50% increase in reports of reputational damage.

The findings from this year’s report notably challenge the traditional belief that people take risky actions due to a lack of cybersecurity knowledge and that security awareness training alone can fully prevent unsafe behaviors. The conundrum extends to security professionals’ belief that most employees know they are responsible for protecting the organization, signaling a gap between the limitations of individual security technology and user education.

“Cybercriminals know that humans can be easily exploited, either through negligence, compromised identity—or in some instances—malicious intent,” said Ryan Kalember, chief strategy officer, Proofpoint. “Individuals play a central role in an organization’s security posture, with 74% of breaches still centering on the human element. While fostering security culture is important, training alone is not a silver bullet. Knowing what to do and doing it are two different things. The challenge is now not just awareness, but behavior change.”

Employees need simplified security controls

71% of surveyed working adults admitted to taking risky actions, such as reusing or sharing a password, clicking on links from unknown senders, or handing over their credentials to an untrustworthy source. 96% did so knowing the inherent risks involved, meaning that 68% of employees willingly undermined their organization’s security.

The motivations behind risky actions are varied, with most employees citing convenience (44%), the desire to save time (39%), and a sense of urgency as their main reasons (24%).

While 85% of surveyed security professionals said that most employees know they are responsible for security, 59% weren’t sure or claimed they were not responsible. And even though virtually all employees who took a risky action knew the inherent risks—a clear indication security training is working to drive employee awareness—, there are clear disparities between what security professionals and employees think is effective to encourage real behavior change.

Security pros believe that more training (83%) and tighter controls (81%) are the answer. Still, nearly all surveyed employees (94%) said they’d prioritize security if controls were simplified and more user-friendly.

BEC attacks benefit from AI

Over one million attacks are launched with the MFA-bypass framework EvilProxy every month, yet, worryingly, 89% of security professionals still believe MFA provides complete protection against account takeover.

Fewer organizations reported email fraud attempts globally, but attack volume grew in countries such as Japan (35% year-over-year increase), South Korea (+31%), and UAE (+29%). These countries may have previously seen fewer BEC attacks due to cultural or language barriers. Still, generative AI allows attackers to create more convincing and personalized emails in multiple languages. Proofpoint detects an average of 66 million targeted BEC attacks every month.

69% of organizations experienced a successful ransomware infection in the past year (a 5-percentage point increase year-over-year); alarmingly, 60% of IT professionals said their organization experienced multiple, separate ransomware infections. Of the organizations impacted by ransomware, 54% agreed to pay attackers (down from 64%), with only 41% regaining access to their data after a single payment (down from 52% a year ago).

Telephone-oriented attack delivery attacks

Although initially appearing as a benign message, containing nothing more than a phone number and some erroneous information, the attack chain is activated when an unsuspecting employee calls a fraudulent call center, providing their credentials or granting remote access to malicious actors. Proofpoint detects 10 million telephone-oriented attack delivery (TOAD) attacks per month, on average, with a recent peak in August 2023, which drew 13 million incidents.

Despite the growing prominence and sophistication of threats such as ransomware, TOAD and MFA bypass, many organizations are not adequately prepared or trained to deal with them. Only 23% of organizations educate their users on how to recognize and prevent TOAD attacks, and only 23% educate their users on generative AI safety.