The Human Factor 2022

People-centric cybersecurity in an era of user-based risks.

The Human Factor of Cybersecurity

Since 2014, the Human Factor report has explored a simple premise: that people—not technology—are the most critical variable in today’s cyber threats.

In cybersecurity terms, 2021 was the breakout year when financially motivated cyber crime became a national security issue. It was also a year marked by ceaseless creativity from threat actors who worked to undermine digital defenses and take advantage of the many opportunities presented by an uncertain world.

After a year that changed the world, it turns out that some things stayed the same. Attackers remained as unscrupulous as ever, making protecting people from cyber threats an ongoing—and often fascinating—challenge.

Key Findings:

The Human Factor Report 2022
Managers and executives make up only 10% of users but represent almost of 50% of attack-based risk.
The Human Factor Report 2022
Malicious URLs are 3-4x more common than malicious attachments.
The Human Factor Report 2022
Attackers attempt to initiate more than 100,000 telephone-oriented attacks every day.
The Human Factor Report 2022
Smishing attempts more than doubled in the US over the year, while in the UK over 50% of lures are themed around delivery notification.
The Human Factor Report 2022
More than 20 million messages attempted to deliver malware linked to an eventual ransomware attack.
The Human Factor Report 2022
of businesses are attacked by a compromised supplier each month.
The Human Factor Report 2022
of cloud tenants that received a suspicious login also saw suspicious post-access activity.
The Human Factor Report 2022
Data loss prevention alerts have stabilized as businesses adopt permanent hybrid work models.

What this report covers

This report dives deep into each of three facets of user risk–Vulnerability, Attacks and Privilege.

It examines key developments in the threat landscape. It explores the developing relationship between cyber criminal groups and what it means for the rest of us. And it explains how a people-centric defense can make users more resilient, mitigate attacks and manage privilege.

This report covers threats detected, mitigated and resolved during 2021 among Proofpoint deployments around the world, one of the largest, most diverse data sets in cybersecurity.

Mingling to business and personal

According to the results of a recent Proofpoint survey, almost half of working adults shifted to a remote working environment as a result of COVID-19. One thing to emerge clearly from this shift is a definite mingling of business and personal. And this is perhaps nowhere more apparent than in how people use their personal and work devices.

The Human Factor Report 2022

Nearly three-quarters said they used a personal device for work purposes.

77% said they accessed personal accounts on an employer-issued device.

55% of respondents admitted that they allow friends and family to use their work computers and phones.

Ponemon Institute has reported a 44% increase in insider threat incidents since 2020.

2021 was a year unlike any other, for both cybercriminals and security professionals

A year that saw an explosion of ransomware, a new breed of SMS attacks, and where legitimate cloud services became a hotbed for criminal activity. We detail all these developments, as well as prevention strategies, in our new report: The Human Factor 2022.

Download today to learn:

  • The ways attackers are targeting your people.
  • The harm caused when privileged access is compromised.
  • Why a people-centric cyber defense is essential.

Thank you for filling out the form. Join our webinar where we’ll examine key findings from the new report.


Report Highlight: Quantifying Vulnerability

The easiest way to quantify vulnerability without putting your organization at risk is to test employee responses to simulated threats. Data collected last year from our phishing simulation tool showed a failure rate range of between 4-20% depending on the type of attack being tested.

Viewed by department, failure rates vary from 6-12% with the average being 11%. Several high-profile (and highly targeted) departments fill out the lower reaches of the table, including IT, legal and finance, though there are several potentially lucrative targets at or above the average rate, including operations and purchasing.


Report Highlight: Malware Who’s Who

In January 2021, an international law enforcement operation took down the Emotet botnet. Overnight, a threat responsible for nearly 10% of the previous year’s malicious email activity was gone. But cyber criminals are nothing if not opportunistic, and other operators stepped up to fill the gap. In 2021, a group we call TA511 emerged as the undisputed volume leader for malicious email, sending three times as many messages as the next most prolific attacker.


Report Highlight: High-privilege users disproportionately targeted in cyber-attacks

Across the organizations in our dataset, around 10% of users are classified as being managers, directors or executives. However, our data shows that this group represents almost 50% of the most severe risk or attack.

Similarly, departments that deal with sensitive information, such as finance, human resources and legal tend to be at higher risk than functions such as marketing and product.