Meet the business world’s riskiest user.

Intermedia’s 2015 Insider Risk Report looks at the security habits of 2000+ office workers according to age, role, industry and other groupings.
The findings fly in the face of conventional wisdom: the most tech-savvy employees are the ones most likely to create risk.

Who creates risk in YOUR organization?


In Intermedia’s 2015 Insider Risk Report, we surveyed more than 2,000 office workers in the US and UK to find the riskiest users.

The first thing that jumped out at us was the scope of the problem:

But if you’re a business owner, IT manager or compliance officer, you need to get deeper. What are the demographic trends? Are some employees creating greater risk than others?

So we sorted our 2,000+ responses across employee age, job title, tenure and industry. And with a margin of error ±2.17% at a 95% confidence interval, the results fly in the face of conventional wisdom: it’s the workers that are most familiar with technology that often cause the biggest risks.

This page contains highlights from our report. The full report is available for download below.

You’d think I.T. would know better.

Security habits correlated by job role

Of all the job roles in this survey—HR, marketing, operations, finance, sales—it was the people in IT who reported the poorest security habits in their responses.

“I was surprised by this. As an IT services provider, my company is on the front line against intrusions, hacks and interruptions caused by these exact kinds of practices. One of our biggest priorities is to keep data secure and confidential, and it shocks me that other IT people wouldn’t share the same outlook.”


- Mike Maendler, CEO, Technology & Beyond

“You’ve heard the saying, ‘100% of men say they’re better than the average driver.’ It’s the same thing. ‘100% of IT people say they’re better than average at security.’ You’ll also hear people say things like, ‘Why put on a seatbelt? I’ve been driving a long time without one and I’m still not dead.’ It’s the same mentality.”


- Jonathan Levine, CTO, Intermedia

“The ex-employee access is really scary. What are they walking away with when they leave? If they go to a competitor, what kind of damage can they do? Usually people delete stuff when they leave, which is bad enough—but it’s really bad when they can come back a few months later and do damage. Especially if it’s IT people with that access. That bothers me the most.”


- Felix Yanko, President, ServNet

Technology companies have a lot to worry about.

Security habits correlated by industry


Of all the industries we surveyed—legal, healthcare, finance, and so on—it was people who work in technology who reported the most risky security practices.

“It’s nearly always that technical people are the worst offenders. They know how to get around various controls that an IT team will put in place. It’s sometimes done with the best intent, but nevertheless with a complete lack of consideration for the risk or security implications.”

– Richard Walters , VP of Identity & Access Management, Intermedia

“The biggest vulnerability businesses face, by far, is using the same password in multiple systems. Unfortunately, tech people have more systems than the other industries. Some of the tools they use, like old Cisco gear that requires crazy passwords, force people to write the passwords down. Other systems don’t offer individual accounts, so everyone shares the administrator account.”

Martin Dunsby, CEO, Hybridge Inc

Kids these days.

Security habits correlated by employee age

“In most cases, Millennials know more about the apps they’re installing than IT does. Why would they ask whether or not it’s OK to install Spotify when the IT guys are still stuck in the 80s? These findings aren’t about insecure practices so much as about the confidence levels Millennials show in IT, and how much they view IT as a partner in their business versus a blockage to be avoided and worked around.”


- Martin Dunsby, CEO, Hybridge, Inc

“Everyone who is growing up now has grown up with social media, and the well-worn muscle is ‘share everything’. People share when they’re going on vacation, where they are, and how long they’ll be gone—which is like saying, ‘Go to my house and rob me—I’m not there!’ Whereas my generation grew up with a little more wariness. For younger people, their first experience is that ‘tech equals fun’. They don’t equate technology with anything serious or consequential.”


- Ryan Barrett, VP of Security and Privacy, Intermedia

“Young people grow up with technology, so it comes more naturally to them. Older generations have an inherent fear of technology, which is actually a really good thing when it comes to IT security practices.”


- Eric Aguado, COO, ThrottleNet

Long-term employees tend to let down their guard.

Security habits correlated by employment duration

“I think it’s a primal thing. When you’re new, your reputation is new, and if you screw up in the beginning, it can cost you your social standing. But if you’ve established yourself within the organization, you can probably survive even a really flagrant mistake. For new employees, the community won’t support you if you transgress, at least not as much as they would rally around an established veteran.”


- Ryan Barrett, VP of Security and Privacy, Intermedia

“As people stay longer with a company, they get more comfortable. And they get into a routine. They don’t realize that hackers have gained the ability to hack deeper. They get complacent because they’re still doing the same job even as IT and technology are advancing around them.”


- Mike Maendler, CEO, Technology & Beyond

“A lot of companies don’t have dynamic security policies. The policies don’t change much. They don’t refresh the training. So they gradually become irrelevant. If you don’t make the corporate tools evolve in lockstep with the consumer tools, then people learn from the consumer tools and try to figure out ways around corporate restrictions.”


- Jonathan Levine, CTO, Intermedia

Size doesn’t seem to matter.

Security habits correlated by employment duration

Regarding company size, the data showed no correlation between business size and user security habits. In some instances, employees at small businesses showed worse habits; while in others, it was big business employees showing worse habits.

We spotted only one significant trend: smaller businesses seem to offer less training and tools to bolster user security, as shown below.

“My last company had 80,000 employees, and everything was far more regimented. From the day you start, you get rigid IT training. But in the end, human habits are human habits, no matter what company you work for. If a person with bad IT habits leaves a small business to go work for a large company, why would their habits change?”


- Eric Aguado, COO, ThrottleNet

“It doesn’t matter how big your organization is, a computer is still a computer and a person is still a person. That’s why it’s up to security staff to craft policies that protect against user behavior.”


- Mike Maendler, CEO, Technology & Beyond

What should companies do about their #RiskiestUsers?

"When it comes to security, the more you can leverage technology to automate security, the better. ALL human beings are prone to errors and mistakes."

"Businesses and individuals need to be aware of the basics of social engineering. Tech has gotten so far ahead some folks. They need “street smarts”. You educate each person to their level, look at the risks they create and design the training to combat that risk. At the same time, put technology in to protect people from themselves."

"It’s important to provide tools that make it easier to follow the rules. Single sign-on, enterprise-class file sharing. Security is best done if you don’t even know you’re following a protocol."

"IT should be leading with new technology. They should be coming to users and saying, ‘We found the great next-gen thing, and we’re going to help you roll it out.’ If IT was much more eager to help folks take advantage of the treasure trove in the cloud, they wouldn’t find employees trying to actively bypass them."

"Make security continually new for everyone. Keep changing and updating the guidelines, so that nobody can lay claim to immunity. But keep it interesting—don’t just change the policy, change the experience. Remind people WHY it’s important."

"Employees aren’t doing this maliciously. They want to be more productive or cut through red tape. IT needs to shift from dictating what you can and can’t do to acting as a trusted advisor."

"The bad practices described here are symptoms, so we need to go after the root cause. We put in safeguards that protect users from themselves. You can’t teach common sense. So we develop technology that overcomes a lack of common sense."

Do something about your #RiskiestUsers

Read the full 2015 Insider Risk Report from Intermedia

See the 5 most common bad security habits

Get best practices for preventing insider risks

How can Intermedia help?

Intermedia is a one-stop shop for 30 cloud business applications. Our Office in the Cloud™ integrates a number of products that can improve the security habits of your users.

  • SecuriSync® backup and file sync

    What it does. This two-in-one app offers both file backup and file sharing & syncing, while giving business managers full control over access and a full audit trail.

    How it helps. SecuriSync improves user security practices in many different ways.

    • It deters Shadow IT because it’s just as easy to use as Dropbox—so users aren’t compelled to install unsanctioned file sharing tools.
    • It prevents insecure file storage and transfer practices because users can share files securely both inside and outside of the company, while retaining control over access at all times.
    • Its robust backup and version control features protect company data from being lost if files are accidentally or deliberately altered.
    • SecuriSync’s remote wipe capabilities prevent data theft when a device is lost or stolen, as well as ex-employee access.

    Learn more about SecuriSync >

  • Intermedia AppID® Single Sign-On

    What it does. This service stores passwords on a user’s behalf and provides a single portal for easy access to all their web apps. It logs them in with just one click.

    How it helps. AppID lets you connect employee credentials to third-party web apps via Active Directory, enabling you to prevent ex-employee access by disabling their logins with a single click.

    AppID also prevents insecure password practices because users simply don’t have to remember passwords.

    Learn more about AppID >

  • Intermedia AppID® Enterprise

    What it does. AppID Enterprise’s patented App Shaping technology enables admins to set policies that determine exactly which pages or elements within any web app users can access or see. For example, you can remove or grey out exporting functionality; hide or redact sensitive data; define access to features based on user role; and restrict access to ANY element within a web app.

    How it helps. This technology helps prevent unauthorized access and data breaches by ensuring that only authorized users are allowed to access sensitive data or perform certain tasks within the web app.


    What it does. AppID Enterprise gives you a detailed audit trail of all user interaction with any web app—from login to logout and everything in between, including screenshots. You can configure auditing levels for both individual users and applications as well as groups of users.

    How it helps. These features prevent misuse of data because employees know that their actions can be tracked. In addition, it makes it easier to facilitate compliance with regulations designed to avoid data breaches.

    Learn more about AppID Enterprise >

  • HostPilot® control panel

    What it does. Intermedia’s HostPilot control panel provides a single source of management across 30 business IT apps. This centralized control over your Office in the Cloud offers a number of key security features.

    How it helps. HostPilot helps you prevent data theft by offering remote wipe of devices. It also reduces the risk of poor password practices by letting you set policies regarding password length and complexity for Intermedia services.

    Learn more about HostPilot >

  • Active Directory®

    What it does. Offers centralized control over user identity. Active Directory helps you organize your company’s users, computers and other digital resources.

    How it helps. Protects against ex-employee access by enabling you to disable access to all your Intermedia services with just one click.

    Learn more about Active Directory >

  • Mobile Device Management

    What it does. Intermedia’s HostPilot control panel gives admins control over the mobile devices that are used to access Intermedia services.

    How it helps.

    • Admins can improve password practices by setting security and management policies, including passcode enforcement, for virtually all your mobile devices.
    • If a user’s mobile device is lost or stolen, you can use HostPilot to wipe the device right remotely and avoid the loss of company data and protect against ex-employee access.
    • Using HostPilot, admins can remotely wipe SecuriSync files off of laptops and desktops, too.
    • Admins can deactivate devices so they no longer receive emails.

    Learn more about HostPilot’s MDM capabilities >

  • Email security and compliance add-ons

    What we offer. Intermedia offers a number of critical security tools, including email security, email encryption, Single Sign-On (SSO) and more.

    How it helps.

    • Advanced Email Security provides comprehensive, multi-layered protection against malware, targeted attacks and unknown email threats. Advanced anti-phishing and spear phishing protection helps keep companies and users safe from ransomware. Learn more about Advanced Email Security.
    • Email Encryption automatically filters and scans your emails to help protect your company against data loss. It also helps you stay in compliance with HIPAA, SOX, GLBA and other regulations. Learn more about Email Encryption.
    • Intermedia AppID® centralizes web app access and management through an integrated SSO portal to prevent password leaks by eliminating multiple passwords and promote strong password policies. Learn more about AppID.

  • Email Archiving

    What it does. Email Archiving captures every email a user sends and receives and stores it in a tamper-proof archive.

    How it helps. Email Archiving is “tamper proof,” which means that emails containing critical company data cannot be intentionally or accidentally deleted by either employees or IT administrators. Email Archiving also helps companies easily find and restore information, simplify eDiscovery in the event of litigation, and facilitate compliance with industry rules and regulations.

    Learn more about Email Archiving >

Talk to an Intermedia representative about improving the security practices of your users with Intermedia’s Office in the Cloud™.


Follow @intermedia_net or discuss your experience using the hashtag #RiskiestUsers.

About Intermedia

Intermedia is the world’s largest independent provider of hosted Exchange. Our Office in the Cloud™ suite of cloud IT services includes Exchange Email, Email Security and Email Archiving along with over 25 other essential business tools. Our services are fully integrated, secure and mobile, with management through our central HostPilot™ control panel and backed by our Worry-Free Experience™ that includes a 99.999% uptime guarantee and J.D. Power certified 24/7 support.

Survey methodology. This study was commissioned by Intermedia and delivered by Precision Sample, an independent market research organization. Precision Sample has an active proprietary panel of over 3.5M respondents that is routinely validated with a stringent screening process including Verity®and RelevantID® by Imperium®. Results derived from a 10-minute online survey instrument with 34 total questions, fielded August 4-6, 2015. Setup questions were used to ensure that only office workers were in the sample, which was defined as those who use a computer, laptop, smartphone or tablet in their day-to-day work. Overall margin of error of +/- 2.17% at a 95% confidence interval.