By Brian Pinnock, vice president of sales engineering, EMEA, Mimecast

In today’s digital-first world, companies remain locked in a titanic battle to protect their people, data and work. According to industry reports, cybercrime is expected to grow by 15% per year to reach US$10,5 trillion in ill-gotten gains by 2025. Considering the global cybercrime industry was worth only US$3 trillion in 2015, this astonishing growth represents the greatest transfer of wealth in human history. This increase in the financial impact of cybercrime is not only a global phenomenon but significantly impacts South African organisations. The cost of data breaches for local companies has reached R53 million – up from R49 million in 2023.

Defending against growing attacks

Organisations have responded by investing in strengthening their cyber defences – 90% of companies in Mimecast's latest State of Email & Collaboration Security 2024 report now have a formal cybersecurity strategy. However, eight in 10 fell victim to ransomware, 41% experienced more email-based threats compared to the previous year and 39% saw a rise in phishing attacks.

In addition, despite companies using powerful technologies such as artificial intelligence (AI) to augment their cybersecurity efforts, the tide is not yet turning. Nearly one billion emails were exposed in 2023, affecting one in five internet users. While email continues to be the number one attack vector, new insights reveal an organisation's biggest source of risk is its people.

Understanding human risk

Data by international research and advisory firm Forrester suggests 90% of data breaches in 2024 will include a human element – up from 74% in 2023. Mimecast data further reveals three in four companies believe they are at risk of inadvertent data leaks by careless or negligent employees. However, not all employees are guilty of actions that compromise their companies' cyber defences. In fact, a mere 8% of users are involved in 80% of security issues.

Only about 12% of users, on average, are classified as “high risk”: at least one instance of risky behaviour. However, this 12% is responsible for 30% of all phishing clicks, 54% of all secure-browsing incidents and 42% of all malware events.

High-risk users are also not spread evenly across the organisation. Based on data from a Cyentia Institute study commissioned by Mimecast, 22% of employees in customer service were found to be high risk along with 18,5% in research and development, 16,5% in data analysis and 13,7% in creative roles. In contrast, only 1,5% of board members had taken risky online action along with just over 8% of executive team members.

Quite often, organisations misunderstand the role that employees play in cybersecurity as well as the risks they pose. To help security professionals understand the vast array of risks and related behaviours impacting the organisation's cyber defences, the new concept of human risk management has emerged.