The Human Factor of Cybersecurity
Since 2014, the Human Factor report has explored a simple premise: that people—not technology—are the most critical variable in today’s cyber threats.
In cybersecurity terms, 2021 was the breakout year when financially motivated cyber crime became a national security issue. It was also a year marked by ceaseless creativity from threat actors who worked to undermine digital defences and take advantage of the many opportunities presented by an uncertain world.
After a year that changed the world, it turns out that some things stayed the same. Attackers remained as unscrupulous as ever, making protecting people from cyber threats an ongoing—and often fascinating—challenge.
Key Findings:
What this report covers
This report dives deep into each of three facets of user risk–Vulnerability, Attacks and Privilege.
It examines key developments in the threat landscape. It explores the developing relationship between cyber criminal groups and what it means for the rest of us. And it explains how a people-centric defence can make users more resilient, mitigate attacks and manage privilege.
This report covers threats detected, mitigated and resolved during 2021 among Proofpoint deployments around the world, one of the largest, most diverse data sets in cybersecurity.
Mingling to business and personal
According to the results of our annual State of the Phish report, almost half of working adults shifted to a remote working environment as a result of COVID-19. One thing to emerge clearly from this shift is a definite mingling of business and personal. And this is perhaps nowhere more apparent than in how people use their personal and work devices.

Nearly three-quarters said they used a personal device for work purposes.
77% said they accessed personal accounts on an employer-issued device.
55% of respondents admitted that they allow friends and family to use their work computers and phones.
The Ponemon Institute’s 2022 report on this subject measures a 44% increase in insider threat incidents since 2020.
2021 was a year unlike any other, for both cybercriminals and security professionals
A year that saw an explosion of ransomware, a new breed of SMS attacks, and where legitimate cloud services became a hotbed for criminal activity. We detail all these developments, as well as prevention strategies, in our new report: The Human Factor 2022.
Download today to learn:
- The ways attackers are targeting your people.
- The harm caused when privileged access is compromised.
- Why a people-centric cyber defence is essential.
Thank you for filling out the form.
Vulnerability
Report Highlight: Quantifying Vulnerability
The easiest way to quantify vulnerability without putting your organisation
at risk is to test employee responses to simulated threats. Data collected last year from our phishing simulation tool showed a failure rate range of between 4%–20% depending on the type of attack being tested.
Viewed by department, failure rates vary from 6%–12% with the average being 11%. Several high-profile (and highly targeted) departments fill out the lower reaches of the table, including IT, legal and finance, though there are several potentially lucrative targets at or above the average rate, including operations and purchasing.
Attacks
Report Highlight: Malware Who’s Who
Before the 2021 takedown of its infrastructure, Emotet was the world’s most frequently distributed malware. Since returning at the end of the year, Emotet’s developers have been linked with both TrickBot and Conti groups.
Privilege
Report Highlight: High-privilege users disproportionately targeted in attacks
Across the organisations in our dataset, around 10% of users are classified as being managers, directors or executives. However, our data shows that this group represents almost 50% of the most severe risk or attack.
Similarly, departments that deal with sensitive information, such as finance, human resources and legal, tend to be at higher risk than functions such as marketing and product.