By Mike Knight

A report by Security Company ‘Elevate’ has revealed that 3% of users are responsible for 92% of malware events for businesses, indicating that a small number of users create the most risk.

2016 to 2021

‘The Size and Shape of Workforce Risk’ report, conducted on data provided to the Cyentia Institute by Elevate Security, included events starting in January 2016 through December 2021, and took into account 15.1m unique events associated with 168k users spread across more than 3.8k organisational departments.

Key findings


Some startling key findings of the report were that:

  • 4% of users are responsible for 80% of phishing incidents, some clicking as often as twice a month.
  • 3% of users are responsible for 92% of malware events.
  • 1% of users will average an incident every other week.
  • 12% of users are responsible for 71% of secure browsing incidents.
  • 1% will trigger 200 events per week.

What is a risky user?

As identified by the stats in the report, the risky users are those small percentages who cause security incidents, sometimes repeatedly. For example, where phishing emails are concerned, just over half of users never receive phishing emails but some users may simply receive a lot more phishing emails than others (100s per year vs. a few). This doesn’t necessarily make them risky because for the phishing emails that aren’t blocked in the first place, most users (75%) click on phishing emails less than 10% of the time. The Cyentia report, however, says that there is a small group (3.9% of users) who have clicked 3 or more phishing emails and who account for 80% of all phishing clicks. Within this group is the 1% who click more than 52 a year – once a week. As the report suggests, these are the risky users.

Also, according to the report, where malware is concerned, although 94% of users never encounter malware, some experience it weekly. Out of these users, 10% average more than 11 events per year, with 1% as high as 27 events per year. These are the high-risk user for malware.

Similarly, where browsing is concerned, only a small percentage of users account for most of the secure browsing events – i.e. 12% cause 71% of the events.

What to do

Elevate’s report recommends several ways that businesses and organisations can minimise the security risk caused by risky users. These are:

  • Start measuring to identify which users pose an outsized risk.
  • Check the efficacy of controls – ie: check how many phishing emails are getting through the filters, how uniformly AV software is installed and make sure the controls are not just in place but are working properly for everyone.
  • Identify risky users. Identify who’s generating the majority of security events and understand the reasons – e.g. a user may be an outsized target for attackers or someone who has slipped through the security controls or both. Also, consider checking the browsing history of a “click-happy user”.
  • Start monitoring and helping the risky users. This could be done by setting up ‘guardrails’ and focused controls.

What does this mean for your business?

This report emphasises how important it is to have blocking measures and controls in place, with employee cyber security training in the first place to stop the vast majority of phishing emails and malware (for example) from getting through. It also shows that a disproportionally small number of users may be responsible for most of the risk, but these will not be identified unless the business measures and monitors to find out who they are.

The suggestion here is that, rather than subjecting all users to the same level/type of treatment, companies can put more effort into identifying the riskiest users and concentrate more help on them. This could be a smarter and more efficient way for companies to boost security.

Contact Us

Contact the Hands On team on 020 8649 9911 or email info@hoc.co.uk for more advice on cyber security.

Back To Latest News

Comments are closed.