Report finds 10% of staff cause 73% of risky cyber behaviour
Concentration of risk
The 2025 State of Human Cyber Risk Report, based on behavioural data from more than 100 enterprises and hundreds of millions of user activities, has outlined how just 10% of employees are responsible for 73% of all risky behaviour within organisations. This concentration of risk challenges the common perception that cyber risk is broadly distributed across the workforce.
The report provides detailed insights into where cyber risk is prevalent in today's enterprises and argues for a shift from systemic defences to targeted human risk management. Ashley Rose, Chief Executive Officer and Co-founder of Living Security, commented on the findings, stating: "Security teams have always known the human factor plays a critical role in breaches, but they've lacked the visibility to act on it. Until now, most insights have relied on anecdotal evidence or narrow indicators like phishing clicks. This report changes that by providing hard data that shows exactly where risk lives, and what actually works to reduce it."
Visibility challenges
One of the most significant takeaways from the report is the shortfall in visibility for many organisations. The analysis determined that those relying only on security awareness training (SAT) have the capacity to detect merely 12% of risky behaviour. In contrast, companies employing mature Human Risk Management (HRM) programmes detected five times as much risk.
The study also revealed that risk is often misattributed. Remote and part-time workers were found to be less risky than in-office staff, contradicting some prevailing assumptions about offsite working arrangements.
Effectiveness of targeted interventions
Living Security reports that organisations utilising its Unify HRM platform managed to reduce their population of risky users by 50% and shorten the duration of high-risk behaviour by 60%. The report suggests that behaviour-triggered interventions are notably more effective than blanket awareness campaigns.
The comprehensive study examines risk distribution by role, industry, and user access level, and provides persona-based insights using behavioural alignment models. It further concludes that targeted action plans, prompted by dynamic risk detection, can dramatically lower an organisation's exposure to internal threats.
Rose asserts that a fundamental rehabilitation of cyber risk management is required, saying: "Cybersecurity is no longer just about technology, it's about behavior. If we don't understand who our riskiest users are, why they're at risk, and how to help them improve, we'll continue chasing symptoms instead of solving the root problem."
Changing requirements
The report comes at a time of rapidly changing enterprise environments, with AI-driven agents and digital co-workers broadening the digital attack surface. The findings recommend that security leaders transition from purely technical defences to approaches that prioritise visibility into user behaviour and enable targeted interventions.
According to the report, detecting and acting on high-risk behaviours at the user level confers significant advantages in risk reduction speed and overall organisational security posture. The full report stresses the necessity of shared visibility and accountability for both human and non-human actors operating within the enterprise.
The 2025 State of Human Cyber Risk Report was developed using anonymised data from the Unify platform collected over multiple years, offering a detailed look at how human risk is manifested and can be mitigated across various industries and organisational sizes.
Follow us on:
Share on:
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
18-07-2025
- Techday NZ
Report finds 10% of staff cause 73% of risky cyber behaviour
New research from Living Security and Cyentia Institute indicates that a small proportion of employees are accountable for a significant majority of risky cyber behaviours, while most organisations remain unaware of the true scale of internal risk. Concentration of risk The 2025 State of Human Cyber Risk Report, based on behavioural data from more than 100 enterprises and hundreds of millions of user activities, has outlined how just 10% of employees are responsible for 73% of all risky behaviour within organisations. This concentration of risk challenges the common perception that cyber risk is broadly distributed across the workforce. The report provides detailed insights into where cyber risk is prevalent in today's enterprises and argues for a shift from systemic defences to targeted human risk management. Ashley Rose, Chief Executive Officer and Co-founder of Living Security, commented on the findings, stating: "Security teams have always known the human factor plays a critical role in breaches, but they've lacked the visibility to act on it. Until now, most insights have relied on anecdotal evidence or narrow indicators like phishing clicks. This report changes that by providing hard data that shows exactly where risk lives, and what actually works to reduce it." Visibility challenges One of the most significant takeaways from the report is the shortfall in visibility for many organisations. The analysis determined that those relying only on security awareness training (SAT) have the capacity to detect merely 12% of risky behaviour. In contrast, companies employing mature Human Risk Management (HRM) programmes detected five times as much risk. The study also revealed that risk is often misattributed. Remote and part-time workers were found to be less risky than in-office staff, contradicting some prevailing assumptions about offsite working arrangements. Effectiveness of targeted interventions Living Security reports that organisations utilising its Unify HRM platform managed to reduce their population of risky users by 50% and shorten the duration of high-risk behaviour by 60%. The report suggests that behaviour-triggered interventions are notably more effective than blanket awareness campaigns. The comprehensive study examines risk distribution by role, industry, and user access level, and provides persona-based insights using behavioural alignment models. It further concludes that targeted action plans, prompted by dynamic risk detection, can dramatically lower an organisation's exposure to internal threats. Rose asserts that a fundamental rehabilitation of cyber risk management is required, saying: "Cybersecurity is no longer just about technology, it's about behavior. If we don't understand who our riskiest users are, why they're at risk, and how to help them improve, we'll continue chasing symptoms instead of solving the root problem." Changing requirements The report comes at a time of rapidly changing enterprise environments, with AI-driven agents and digital co-workers broadening the digital attack surface. The findings recommend that security leaders transition from purely technical defences to approaches that prioritise visibility into user behaviour and enable targeted interventions. According to the report, detecting and acting on high-risk behaviours at the user level confers significant advantages in risk reduction speed and overall organisational security posture. The full report stresses the necessity of shared visibility and accountability for both human and non-human actors operating within the enterprise. The 2025 State of Human Cyber Risk Report was developed using anonymised data from the Unify platform collected over multiple years, offering a detailed look at how human risk is manifested and can be mitigated across various industries and organisational sizes. Follow us on: Share on:
Otago Daily Times
16-07-2025
- Otago Daily Times
Director questions merits of MPI prosecution
The prosecution of him and his company for operating heli-crayfish excursions for high-paying guests "wasn't a great use of taxpayers' money", a Queenstown hotelier says. The Ministry for Primary Industries (MPI) took Mark Rose and The Rees Management Ltd to court for operating heli-crayfish excursions to Fiordland for high-paying guests, and illegally storing crayfish in a hotel freezer. Rose, who remains a director of the company and was its general manager until the end of March, was discharged without conviction in the Queenstown District Court this week after admitting three charges of failing in his duty as director of a fish dealer. The company was convicted and fined $22,000 on four charges of unlawfully possessing fish for sale and a single charge of a fish dealer failing to keep invoices for fish purchases. MPI launched an investigation into the heli excursions in late 2022, which involved a third-party company flying small groups of the hotel's guests to remote locations in Fiordland or the West Coast to watch a diver gather the crayfish. The crayfish were later flown to the resort and cooked and served to the excursion participants. After Mr Rose was warned by a fisheries officer in late 2021 that the excursions were illegal, he gave assurances he would get the third-party business operating them to ensure they were compliant. MPI's investigation was triggered after the excursions resumed. Mr Rose suspected MPI thought there was a "huge ring" for illegal seafood. When told to stop the trips, he did so immediately, only resuming when he had been assured by the third-party company that changes had been made. MPI also prosecuted him for having three frozen crayfish in the hotel's kitchen. "If we were trying to do something illegal, we wouldn't be freezing crayfish and then selling the bloody things, would we?" He found MPI's prosecution of him as a company director "pretty amazing". "I'm 60-odd years of age, running a successful multimillion-dollar business and employing all the people that we do, we're enmeshed in the community, we support charities and all sorts of stuff like that. "Do you think I suddenly woke up one morning and thought, oh, ... I'm going to go out and break the law?" Mr Rose said he had never been in a court before, and found the process "daunting". "I felt like a criminal, and I really and truly didn't think that I had done anything wrong. "Everybody around me knows I wouldn't do anything wrong, either. "But I put my hand up, and I think that's something more chief executives need to do." The luxury hotel has won various awards, including a gong for leading New Zealand hotel at the 30th Annual World Travel Awards in 2023. Mr Rose was named New Zealand's hotel general manager of the year at the Australasian Hotel Management Awards in 2022. In her sentencing comments, Judge Catriona Doyle said the offending appeared to be a case of negligence rather than "deliberately seeking to develop a profitable experience they knew would be unlawful". The excursions the hotel's guests went on only involved 23 crayfish, and the maximum recreational limit of six crayfish per diver was never exceeded. Mr Rose had "high standing and significant mana in his community", with a strong record of work for charitable organisations, the judge said. She granted him a discharge without conviction on the grounds the consequences of convictions at his stage of life, compared to the seriousness of the offending, would cause undue shame to him and his family. MPI also laid charges against the third-party company that operated the heli excursions. That company is defending the charges.
RNZ News
28-05-2025
- RNZ News
Everything's coming up roses as Rural Women marks centenary
Rural Women New Zealand has commissioned a rose for its centenary created by Matthews Nurseries of Whanganui. Photo: supplied Stocks of a pinky lilac rose to mark the centenary of the national organisation Rural Women are two thirds sold already. The Mangamahu-Fordell branch of Rural Women New Zealand commissioned a nearby nursery to breed the new variety for its 100 years. The floribunda rose displays clusters of soft hued blooms above a bushy growing plant with mid-green foliage. Committee member Clare Adkins said it was special. "We came up with this idea of creating a rose in partnership with Matthews Nurseries who are just around the road from us," she said. Adkins farms near Whanganui with her husband, Grant. As well as farming sheep and beef, the couple grow pumpkins for their seeds . These are sold through their business Summer Hill Seeds at Okoia. The rural women's organisation is thrilled with the bloom and fragrance of the new rose. "They've created a beautiful rose for us. It's very scented because that was our criteria," Adkins said. "It's a lovely tribute for rural women all over New Zealand." According to the Whanganui nursery the rose will perform at its best planted in a garden, but can also be grown in a large pot of around 60 litres, so watering and liquid feeding can be done from below to strengthen the root system. Floribundas are ideal for group planting in borders and hedges. They're also suitable for floral arrangements and picking. Photo: Supplied Rural Women New Zealand was first known as the Women's Division of the Farmer's Union and was founded to connect rural women. Adkins said the strength of the organisation was not to be underestimated. It had stood the test of time by adapting to the evolving needs of rural women and their communities. "The rural women's movement started about 100 years ago when the ladies who accompanied their husbands down to the national conference of the Farmers' Union got together to form a new group," she said. The rose commissioned to celebrate the centenary. Photo: Gianina Schwanecke / Country Life The 16 women shared their experiences of the often hard and lonely times on the farm and with each other. In its early years the organisation aimed at finding ways of improving living conditions on New Zealand farms. "They realised they needed to form a group to help support women and children living rurally and in isolation in the 1920s," Adkins said. Whanganui's Florence Polson from Mangamahu was the first Dominion president. The organisation received a boost of $250,000 in this month's Budget to expand its reach and continue its work. "Rural Women New Zealand has been a backbone of rural life for 100 years," Minister for Rural Communities Mark Patterson said. "This funding will support the important work they do every day - helping connect people to services, building strong local networks, and advocating for rural voices to be heard."
