Every year, enterprises spend millions on security technology and training — only to be caught on the hamster wheel of responding to incidents caused by recurrent human errors. Incredibly, human error has played a role in 88% of the total losses from the largest cyber incidents of the last 5 years.
In this provocative new research report, Cyentia Institute launches its first annual study on human cybersecurity risk in the workplace, in partnership with Elevate Security.
This unprecedented report aggregates data from 114,000 end users across 2,000 organizational departments between 2018 and 2020. Cyentia analysts highlight key lessons to be learned from the data about measuring and managing the human attack surface.
Here’s a preview of what’s in the report…
Introduction: The Human Attack Surface
In his 2008 essay, Bruce Schneier extols the virtues of the “Security Mindset”. He argues that a particular type of thinking, one focusing not only on the functionality of a system but also on how it can be misused, is an essential way for security professionals to view the world.
If the “Security Mindset” was an important ideal back then, it is much more so today. Nearly everyone—not just security professionals—must be at least a little bit aware of the dangers they face when clicking through emails, selecting passwords, or installing new apps. However, the constant vigilance required by this mindset is simply asking too much of most people. And yet, we also can’t just lock down everyone and everything around them without bringing the business to a grinding halt.
This challenge creates an impasse for organizations seeking to manage their human attack surface and raises some critical questions. What can be done to develop ongoing visibility into the full spectrum of risky employee decisions that undermine enterprise defenses? Is it possible to cultivate a “securer mindset” without paralyzing productivity for fear of cyber boogeymen in every URL? Finally, how do we mitigate the impact of the inevitable poor decisions employees make and provide them the right security protections based on their individual risk levels?
This report starts to answer these questions (and more) by mining through troves of sanitized data from Elevate Security. We unearthed tons of fascinating nuggets of knowledge from those mining operations, but we’ve decided to focus this report on some key lessons we learned about measuring and managing the human attack surface. Keen to know what those lessons are and how to apply them to your organization? Great, let’s go!
- Nearly two-thirds of major data breaches are tied directly back to human risk factors.
- Human risk played a direct role in 88% of the total losses attributed to the largest cyber incidents of the last five years!
- Security training and phishing simulation results in slightly lower click rates among users but has no significant effect at the organizational level.
- Users with active password managers are 19 times less likely to download or execute malware than those without them.
- Malware infections are 10 times more likely to occur among users at the bottom of the org chart than those at the top.