In today’s digital-first world, companies remain locked in a titanic battle to protect their people, data and work.
By Brian Pinnock, vice-president of sales engineering: EMEA at Mimecast
According to industry reports, cybercrime is expected to grow by 15% per year to reach $10,5-trillion in ill-gotten gains by 2025. Considering that the global cybercrime industry was worth only $3-trillion in 2015, this astonishing growth represents the greatest transfer of wealth in human history.
This increase in the financial impact of cybercrime is not only a global phenomenon, but significantly impacts South African organisations. The cost of data breaches for local companies has reached R53-million, up from R49-million in 2023.
Defending against growing attacks
Organisations have responded by investing in strengthening their cyber defences. 90% of companies in Mimecast’s latest State of Email & Collaboration Security 2024 report now have a formal cybersecurity strategy. And yet, eight in 10 fell victim to ransomware, 41% experienced more email-based threats compared to the previous year, and 39% saw a rise in phishing attacks.
In addition, despite companies using powerful technologies such as artificial intelligence (AI) to augment their cybersecurity efforts, the tide is not yet turning. Nearly one billion emails were exposed in 2023, affecting one in five internet users. While email continues to be the number one attack vector, new insights reveal that an organisation’s biggest source of risk is its people.
Understanding human risk
Data by international research and advisory firm Forrester suggests 90% of data breaches in 2024 will include a human element, up from 74% in 2023.
Mimecast data further reveals that three in four companies believe they are at risk of inadvertent data leaks by careless or negligent employees. However, not all employees are guilty of actions that compromise their companies’ cyber defences. In fact, a mere 8% of users are involved in 80% of security issues.
Only about 12% of users, on average, are classified as ‘high-risk’ – those who have had at least one instance of risky behaviour. However, this 12% is responsible for 30% of all phishing clicks, 54% of all secure-browsing incidents, and 42% of all malware events.
High-risk users are also not spread evenly across the organisation. Based on data from a Cyentia Institute study commissioned by Mimecast, 22% of employees in customer service were found to be ‘high-risk’, along with 18,5% in research and development, 16,5% in data analysis, and 13,7% in creative roles.
In contrast, only 1,5% of board members had taken risky online action, along with just over 8% of executive team members.
Quite often, organisations misunderstand the role that employees play in cybersecurity as well as the risks they pose. To help security professionals understand the vast array of risks and related behaviours impacting their organisation’s cyber defences, the new concept of Human Risk Management has emerged.
Human Risk Management 101
Human risk management aims to secure organisations by more effectively connecting the dots between humans and technology. Traditional security programs have left security leaders unable to proactively identify high-risk employees or effectively mitigate risky behaviour.
Human risk management accepts that employees are constantly under attack and that the attack surface has expanded significantly due to the skyrocketing adoption of collaboration tools.
Addressing employee vulnerability requires an adaptive and individualised approach to cybersecurity that is human-by-design, safeguards against cyberattacks and delivers measurable impact.
Mimecast’s connected human risk management platform, which includes Mimecast Engage, leverages real-time risk signals and behavioural insights from across the organisation to deliver the right intervention and training to employees at the right time. By adopting human risk management as a core tenet of their cybersecurity strategies, organisations can gain visibility over risky employees, intervene with appropriate training, and deliver real security outcomes at scale.