A major workforce cyber risk study examined user behavior data from more than a hundred organizations and found that only 10 percent of employees account for nearly 75 percent of all actions that put firms at risk for a cyber incident.
The study suggests that enterprise security in 2025 hinges on managing human behavior rather than on relying solely on technical security controls or general workforce training.
Previous approaches mostly focused on anecdotal evidence such as phishing test results, but this report used large-scale event data to pinpoint exactly how and where risks accumulate.
The riskiest users are often not those whom management may suspect. Contrary to widespread belief, remote and part-time employees show lower risk profiles than do full-time, in-office staff.
Most employees actively help reduce corporate cyber exposure, with 78 percent taking steps that lower organizational risk.
Effective risk management platforms use tailored interventions, analytics, and targeted user training to cut the the number of risky users in half, and lessen the duration of risky behavior by 60 percent.
The report also warns that threats are not limited to those actions employees consciously take.
Events outside employee control, such as being targeted by external malware or phishing campaigns, affect risk as much as factors like bad credential hygiene or improper access management.
Source: https://www.theglobeandmail.com/investing/markets/markets-news/ACCESS%20Newswire/33407029/new-data-reveals-just-10-of-employees-drive-73-of-cyber-risk/
Commentary
According to the source, the findings support a shift toward proactive identification and management of high-risk individuals, enabling organizations to concentrate their resources and policies where risk is highest.
The risk these employees pose can stem from direct actions such as:
- Mishandling credentials
- Neglecting security hygiene or
- Falling victim to increasingly convincing phishing and social engineering campaigns.
Risk can also come from systemic vulnerabilities, such as lack of tailored training or insufficient risk assessment.
From a loss prevention perspective, it is crucial for organizations to not only train on loss prevention principles but to also consider approaches that address the unique exposure presented by specific employee groups.
This includes investing in security intelligence platforms that provide details into employee behavior, maintaining strict access controls, and utilizing just-in-time awareness interventions based on real-time risk assessments.
A strong loss prevention model requires both proactive and reactive elements. Include monitoring and analysis to anticipate risk, and have a mature incident response in place that is designed to contain and remediate breaches swiftly.
The final takeaway is that successful loss prevention is characterized by a dual focus: reducing the underlying causes that result in certain employees creating most of the risk, while also empowering all staff with the relevant knowledge and resources to act responsibly.
