Understanding Human Risk: The 48% Factor

Cyber Risk Starts with Human Behavior 

Cybersecurity isn't about firewalls and monitoring systems — it's about people. According to the 2024 Mimecast Exposing Human Risk Report, 48% of employees engage in risky online behavior that exposes their organizations to cyber threats. That’s nearly half of employees leaving their organizations vulnerable to attacks. 

The frontline in cyber defense has shifted. While the external threats from skilled hackers are evolving, the internal human element remains a significant challenge. To address this, we need to understand the types of behaviors employees are engaging in, why these risks exist, and how businesses can respond. 

48% of Employees’ Most Common Risky Behaviors 

The Mimecast report identifies three key behaviors that consistently expose organizations to cyber risks:

1. Clicking on phishing emails: Employees are still falling for phishing links, with 3% of users failing phishing simulations and actual phishing attacks alike. 
2. Downloading or executing malware: Employees unintentionally run software that opens the door to malicious actors. 

Violating web browsing policies: From visiting risky websites to ignoring IT protocols, browsing mistakes often lead to vulnerabilities. Interestingly, while most risky behaviors occur as isolated incidents, 13% of employees engage in multiple risky actions, significantly increasing their likelihood of causing a breach. 

The report highlights that cyber risk is not equally distributed. Specific roles and levels of tenure experience higher exposure than others. 

• Managers are the most targeted group but also the least likely to click on phishing emails. However, their higher targeting rate means they face the greatest annual risk. 
• New hires are particularly vulnerable to phishing emails, with click rates deceasing as tenure grows. Conversely, long-tenured employees get targeted more often simply because their email addresses are more widely known. 
• Lab employees and customers, while not heavily targeted, have alarming click-through rates, indicating that training for these groups could dramatically reduce risk. 

Additionally, salespeople and board members, both highly public-facing roles, receive frequent phishing attempts. Their roles often grant them high access privileges, which makes any successful attack on these users particularly devastating. 

Why Do Employees Remain Risky After Training? 

One particularly revealing aspect of the study is that human risk isn't purely behavioral — it's situational too. Employees in public-facing or higher-level roles are inherently more exposed simply due to the nature of their work. 

For instance, managers have a lower click rate on phishing emails than most employees yet deal with far more attempts. The volume of attacks elevates their risk profile, suggesting that shielding them from threats (via enhanced filtering systems) is just as vital as additional training. 

How Can Businesses Address Human Risk Effectively? 

Managing human risk requires a multifaceted strategy. Organizations can't rely solely on one-size-fits-all training programs or technical solutions. Tailored interventions are the key to success. 

1. Identify high-risk groups: By understanding which employees are most targeted or most likely to click phishing emails, you can prioritize efforts where they’ll make the greatest impact. 
2. Tailor training programs: Instead of generic lessons, offer specific guidance for distinct roles. For example, salespeople may need to learn to scrutinize emails with a critical eye, whereas IT employees need ongoing reminders about web browsing policies. 
3. Prevent targeting: For roles like managers or board members, shielding them from phishing attacks through advanced IT defenses can be more effective than further training. 
4. Reinforce education continuously: Cybersecurity isn’t a one-and-done course. Employees need regular refreshers and evolving simulations to stay prepared.

No business is immune to cyber risks, but the Mimecast Exposing Human Risk Report makes one thing clear — mitigating risk starts with understanding your employees. The data shows that risky behaviors can be reduced through targeted education, smarter defense strategies, and a proactive approach to identifying vulnerabilities.

Want to know more? Learn how your company can combat human-driven cyber risks today. Read the full Exposing Human Risk Report.