Cyber incidents involving employees increased by 90% last year. 93% of organizations were victims of attacks in which cybercriminals exploited human behavior. Human error and internal risks continue to contribute structurally to data breaches and account takeovers.
This is according to research by KnowBe4. Email remains the primary channel through which cybercriminals deceive employees in incidents. 64% of organizations reported incidents that originated via email, while 57% saw a further increase in email-related attacks. Phishing also served as a gateway to account takeovers in 59% of the affected organizations.
At the same time, the threat landscape is shifting to a broader group of communication channels. Thirty-nine percent of organizations reported successful attacks via messaging platforms such as Microsoft Teams and Slack. Social media also poses a growing risk (36%), as does SMS-based phishing (smishing), which affected 31% of organizations. This development is leading to so-called boundaryless phishing, in which employees are targeted on virtually every digital channel.
Internal threats underestimated
In addition to external attacks, internal threats also pose a substantial and often underestimated risk. 36% of cybersecurity leaders indicated that employees deliberately caused security incidents in the past year. In most cases, organizations were hardly able to intervene. Only 6% of these incidents were stopped before the employee achieved their goal.
In 43% of incidents, data was leaked or sold to competitors, followed by online information leaks (37%) and taking company data to a new employer (35%).
In addition to malicious acts, mistakes also remain a major cause of incidents. 90% of organizations experienced security incidents caused by human error in the past year. Examples include misdirected emails, incorrect storage of sensitive information, and oversharing via collaboration platforms.
The survey shows that many employees do not consider cybersecurity to be their own responsibility. Only 29% feel personally responsible for protecting company data, while 53% believe that this responsibility lies primarily with IT and security teams.
It is also striking that 47% believe that the information they work with is not the property of the organization, but of themselves or their team. This gap between policy and perception increases the likelihood of risky behavior and hinders effective prevention.
Only 16% of organizations have a well-designed Human Risk Management program, and 71% have insufficient insight into the individual risk profiles of their employees. It is therefore not surprising that virtually all cybersecurity leaders (97%) indicate that they need more budget to effectively manage human risks.