An illuminating new report from email security firm Tessian reveals that 43% of US and UK employees have made mistakes resulting in cybersecurity repercussions for themselves or their company. Human error is a leading cause of data breaches today. The Psychology of Human Error report examines why people make mistakes and how they can be prevented before they turn into breaches.
The mistakes people make and why
When asked about what types of mistakes they have made, one-quarter of employees confessed to clicking on links in a phishing email at work. Employees aged between 31-40 were four times more likely than employees aged over 51 to click on a phishing email, while men were twice as likely as women to do so.
Nearly half (47%) of employees cited distraction as a top reason for falling for a phishing scam. This cause was closely followed by the fact that the email looked legitimate (43%), with 41% saying the phishing email looked like it came from a senior executive or a well-known brand.
In addition to clicking on a malicious link, 58% of employees admitted to sending a work email to the wrong person, with nearly one-fifth (17%) of those emails going to the wrong external party. This simple error leads to severe consequences for both the individual and the company, who must report the incident to regulators and their customers. One-fifth of respondents said their company had lost customers due to sending a misdirected email, while one in 10 employees (12%) lost their job.
The main reason cited for misdirected emails was fatigue (43%), closely followed by distraction (41%). With 57% of respondents saying they are more distracted when working from home, the sudden shift to remote working could make businesses more vulnerable to security incidents caused by human error.
How stress impacts cybersecurity
The report’s findings call for businesses to understand the impact stress and working cultures have on human error and cybersecurity, especially in light of the events of 2020. Employees revealed they make more mistakes when they are stressed (52%), tired (43%), distracted (41%), and working quickly (36%).
It isn’t comforting, then, that 61% of respondents said their company has a culture of presenteeism that makes them work longer hours than they need to, while nearly half of employees (46%) have experienced burnout. Businesses should also be mindful of how the global pandemic, and the move to working from home, have impacted employees’ wellbeing and how that relates to security.
Jeff Hancock, a Stanford University professor and expert in social dynamics, contributed to the report and said, “Understanding how stress impacts behavior is critical to improving cybersecurity. The events of 2020 have meant that people have had to deal with incredibly stressful situations and a lot of change. And when people are stressed, they tend to make mistakes or decisions they later regret. Sadly, hackers prey on this vulnerability. Businesses, therefore, need to educate employees on the ways a hacker might take advantage of their stress during these times, as well as the security incidents that can be caused by human error.”
Why age matters
The report also shows that age, gender, and industry play a role in people’s cybersecurity behaviors, revealing that a one-size-fits-all approach to cybersecurity training and awareness won’t prevent incidents of human error. Findings include:
- Half of the employees aged 18-30 say they have made mistakes that compromised their company’s cybersecurity, compared with 10% of workers over 51 who say the same.
- 65% of 18-30 year-olds say they have sent an email to the wrong person, compared with 34% of those over 51.
- 70% of employees who admitted to clicking a phishing email are aged between 18-40 years old. In comparison, just 8% of those over 51 said they had done the same.
- Workers in the Technology industry were the most likely to click on links in phishing emails, with nearly half of respondents in this sector (47%) admitting they had done so. This surprising statistic was closely followed by the equally remarkable employees in Banking and Finance (45%).
Tim Sadler, CEO and co-founder of Tessian, said, “Cybersecurity training needs to reflect the fact that different generations have grown up with technology in different ways. It is also unrealistic to expect every employee to spot a scam or make the right cybersecurity decision 100% of the time. To prevent simple mistakes from turning into serious security incidents, businesses must prioritize cybersecurity at the human layer. This requires understanding individual employees’ behaviors and using that insight to tailor training and policies to make safe cybersecurity practices truly resonate.”
Every seasoned cybersecurity professional knows that the weakest link is, indeed, the human factor. The only reason the findings of this research are startling is that this gives information sheds light on just how social engineering efforts from bad actors has improved.
Gone are the days when a cursory glance to spot an improper email domain or a misspelled word will suffice for identifying a phishing attempt. Educating employees, from the C Suite on down, about the latest in phishing scams should be a top priority.
Steven Bowcut is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Facebook, Instagram, and LinkedIn.