When risky cybersecurity behavior becomes a habit among employees

While the majority of employees avoid risky behaviors, a small subset makes them a habit, posing a significant cybersecurity challenge, according to Mimecast.

48% of employees engaged in behaviors that exposed their organizations to cyber risk, with browsing violations being the most common (36% of users). Browsing violations, unlike phishing and malware events, do not directly impact security. However, they can increase the likelihood of encountering malware or online scams.

Impersonation phishing widespread across sectors

Notably, credential harvesting phishing attacks are prevalent across all industries. Impersonation is also a common type of phishing across all industries (especially healthcare and education).

Receiving phishing emails is one thing; falling for them is another thing entirely. According to Mimecast’s analysis, 89% of users who received real-world phishing never clicked on any of them.

The typical click rate for users who fall for real-world phishing emails is 12.5%. Training can reduce phishing click rates by an average of 25% among users who already tend to click. About one in seven employees were solely responsible for triggering 10 or more malware events.

Simulated phishing trials may be too tricky, leading to significantly higher click rates compared to real-world phishing attacks. A possible explanation is that real phish are easier for employees to spot than their simulated cousins.

Managers are more frequently targeted by phishing attacks

The study also emphasizes that human risk is not evenly distributed. A small percentage of users are responsible for a disproportionate share of security incidents. For instance, just 1% of users are behind 44% of all clicked phishing emails, and 5% are responsible for all malware incidents.

In a 1,000-person organization, 14 employees are expected to download or execute malware. Seven of these employees will trigger malware on a monthly basis, and four will encounter malicious software on a weekly basis.

Managers are more frequently targeted by phishing attacks due to their public profiles and higher levels of access, but they are less likely to click on them. Executives, sales, and board members, being public-facing roles, also receive a high volume of phishing emails.

Lab employees, while receiving the fewest phishing emails, are the most likely to click on them, highlighting the distinction between being targeted and being tricked. Similarly, newer employees are more susceptible to phishing attacks.

Human behavior remains a significant vulnerability in even the most secure environments. Cybersecurity leaders must therefore adopt a proactive,
human-centric approach to managing risk. This requires moving beyond basic awareness training and focusing on behavioral change through targeted, continuous education and reinforcement.