Newer, Untrained Employees Heighten Cyber Risk for Organisations: CybeReady Research
CybeReady, a global leader in security awareness training, has conducted extensive research based on millions of data points, accumulated from training enterprise employees over the past five years. According to CybeReady, the data reveals that new employees regularly show a propensity for higher-risk behaviours compared to veteran employees. The data coming out of CybeReady establishes a direct correlation between employee veterancy within a company and its cybersecurity risk level.
The new findings highlight the significance of the employee learning curve and its impact on cybersecurity risk. The data groups employees into three main clusters according to their risk level (Low, Medium, and High Risk), and assumes every employee engages in continuous and regular training – at least one short training session per employee per month.
According to the data, during the first 0-6 months with an organization, basic training is often provided to new employees in order to establish a risk baseline. As early-stage employees progress to the 6-12 month mark, they are exposed to advanced training simulations and reveal a medium level of risk. However, after the 12-month mark, a breakpoint is observed, indicating a significant decrease in risk.
The research further reveals a stark contrast in behaviour between new and veteran employees (Figure 1). On average, new employees (less than six months with the company) are more than twice as likely to click on phishing emails compared to their veteran counterparts, demonstrating increased susceptibility to cyber threats.
Figure 1 – Cyber Behaviour by Veterancy
In addition, the study examines the reporting rate of phishing attempts and identifies an “opposite correlation” between employee risk level and their reporting rate (Figure 2). It was observed that low-risk employees tend to report up to 50% more than medium-risk employees, or up to four times more than high-risk employees. This suggests that training not only fosters secure habits and empowers employees to avoid phishing emails, but also encourages a proactive approach to reporting such threats. This behaviour change plays a crucial role in protecting organizations from potential consequences caused by employees without training behind them.
Figure 2 – Phishing Reporting by Risk Group
“Our data demonstrate the crucial role employees play in keeping the organization safe, and how administering effectiveness training can truly change employee behaviour,” said Eitan Fogel, CEO of CybeReady. “By recognizing the increased vulnerability of new employees and providing targeted training at various stages of veterancy and risk levels, organizations can mitigate cyber risks and thereby strengthen their overall security posture.”
CybeReady remains committed to building employee readiness for cyberattacks by developing innovative cybersecurity training that equips employees with the skills to identify and thwart cyber threats. Their research underscores the importance of investing in continuous training programs to strengthen the human element of cybersecurity and minimize organizational risk.