The Rising Tide of Cybercrime: Understanding Human Risk Management in Cybersecurity

In today’s digital-first world, companies are locked in a titanic battle to protect their people, data, and work. The stakes have never been higher, as cybercrime is projected to grow by 15% annually, reaching a staggering $10.5 trillion in ill-gotten gains by 2025. This marks a dramatic increase from the $3 trillion valuation of the global cybercrime industry in 2015, representing the greatest transfer of wealth in human history. The financial impact of cybercrime is not just a global phenomenon; it significantly affects organizations in South Africa, where the cost of data breaches has surged to R53 million, up from R49 million in 2023.

Defending Against Growing Attacks

In response to this escalating threat, organizations are investing heavily in strengthening their cyber defenses. According to Mimecast’s latest State of Email & Collaboration Security 2024 report, 90% of companies now have a formal cybersecurity strategy. However, despite these efforts, the battle is far from won. Eight in ten organizations fell victim to ransomware, while 41% experienced an increase in email-based threats compared to the previous year, and 39% reported a rise in phishing attacks.

Even with the integration of powerful technologies like artificial intelligence (AI) into their cybersecurity frameworks, organizations are still struggling to turn the tide. In 2023 alone, nearly one billion emails were exposed, affecting one in five internet users. Alarmingly, while email remains the primary attack vector, new insights reveal that the biggest source of risk for organizations is their own people.

Understanding Human Risk

Data from Forrester, an international research and advisory firm, indicates that 90% of data breaches in 2024 will involve a human element, up from 74% in 2023. Mimecast’s findings further reveal that three in four companies believe they are at risk of inadvertent data leaks due to careless or negligent employees. However, it’s crucial to note that not all employees are equally culpable. In fact, a mere 8% of users are responsible for 80% of security issues.

Only about 12% of users are classified as ‘high-risk’—those who have exhibited at least one instance of risky behavior. Yet, this small group is responsible for a disproportionate amount of security incidents: 30% of all phishing clicks, 54% of secure-browsing incidents, and 42% of malware events.

Moreover, high-risk users are not evenly distributed across the organization. A study by the Cyentia Institute, commissioned by Mimecast, found that 22% of employees in customer service were classified as ‘high-risk,’ along with 18.5% in research and development, 16.5% in data analysis, and 13.7% in creative roles. In stark contrast, only 1.5% of board members and just over 8% of executive team members engaged in risky online behavior.

Organizations often misunderstand the role that employees play in cybersecurity and the risks they pose. To address this, the concept of Human Risk Management has emerged, aiming to provide security professionals with a clearer understanding of the diverse risks and behaviors that impact their organization’s cyber defenses.

Human Risk Management 101

Human Risk Management seeks to enhance organizational security by effectively connecting the dots between human behavior and technology. Traditional security programs have often left security leaders unable to proactively identify high-risk employees or mitigate risky behaviors effectively. Human Risk Management acknowledges that employees are constantly under attack and that the attack surface has expanded significantly due to the rapid adoption of collaboration tools.

Addressing employee vulnerability requires an adaptive and individualized approach to cybersecurity that is human-centered. This approach not only safeguards against cyberattacks but also delivers measurable impact.

Mimecast’s connected Human Risk Management platform, which includes tools like Mimecast Engage, leverages real-time risk signals and behavioral insights from across the organization. This enables the delivery of timely interventions and training to employees. By adopting Human Risk Management as a core tenet of their cybersecurity strategies, organizations can gain visibility over risky employees, intervene with appropriate training, and achieve tangible security outcomes at scale.

Conclusion

As cybercrime continues to evolve and expand, organizations must recognize the critical role that human behavior plays in their cybersecurity strategies. By embracing Human Risk Management, companies can better protect their assets, mitigate risks, and foster a culture of security awareness among employees. In this digital age, where the threat landscape is constantly shifting, understanding and managing human risk is not just a necessity; it is a strategic imperative for any organization aiming to thrive in an increasingly perilous environment.