According to a new report by Email security company Tessian, some 43% of employees made mistakes which had resulted in cybersecurity repercussions for themselves or their company. The report, titled ‘The Psychology of Human Error’, was carried out in April on a total of 2,000 participants from the UK and US, to reveal the effects of stress, distraction and workplace disruption on people’s tendency to make errors at work.
The report also found that 20% of companies had lost customers following an instance of emails mistakenly being sent to the wrong recipient, with these details containing either irrelevant information or at worst, potentially sensitive information. Tessian said that as much as 58% of employees surveyed admitted to making this mistake at some point, with 10% saying they had lost their job as a result of making such an error.
Additionally, a quarter of respondents admitted to having clicked on a phishing email at work. These type of mechanisms are commonly used by scammers, seeking to ‘phish’ or steal data from the email recipient, often including financial and personal details. Interestingly, instances of mistakenly opening phishing emails were most common in the tech sector, with 47% of employees in the field admitting to having clicked on a phishing email.
Why are these mistakes so common?
Though the reasons these mistakes happen are likely numerous, Tessian’s report focused on psychological factors which may have contributed to lapses in staff focus.
The number one reason cited for potentially cybersecurity jeopardising mistakes was employees being distracted, with 47% of employees stating that distraction was the main reason they’d fallen for a phishing scam, while 41% cited distraction as the reason for emails sent to the wrong recipient.
Contrary to many of the more positive cases in favour of flexible work arrangements, some 57% of respondents said they were more distracted when working from home, which would lead us to wonder whether the impact of employee mistakes have been even more acute during lockdown.
Other factors which caused staff to click on scam emails include 43% of respondents initially perceiving phishing emails to be legitimate, with 41% saying that scam emails appeared to be sent from senior executives or well-known brands.
The final issue discussed in the report was fatigue. With the stress and hassle of reconfiguring work arrangements and lifestyles to lockdown life, some 44% of respondents stated that fatigue contributed to them sending emails to the wrong person.
Speaking on the findings, Standford University Professor and expert in social dynamics, Jeff Hancock, commented:
“Understanding how stress impacts behaviour is critical to improving cybersecurity. This year, people have had to deal with incredibly stressful situations and a lot of change. And when people are stressed, they tend to make mistakes or decisions they later regret. Sadly, hackers prey on this vulnerability. Businesses, therefore, need to educate employees on the ways a hacker might take advantage of their stress during these times, as well as the security incidents that can be caused by human error.”
Other factors outside of psychological strains included biological characteristics. The report found that staff aged 18-30 were five times more likely to have made mistakes which may have compromised tehir company’s cybersecurity, than employees over the age of 51.
Further, Tessian also found that male employees were twice as likely to fall for a phishing scam than their female counterparts, with 34% of male employees clicking on a data-stealing email versus 17% of female staff.
The alarming regularity of poor cybersecurity
Instances of high profile cybersecurity breaches seem to make their way into the news cycle on an uncomfortably regular basis for many consumers. Should the move to a more tech-integrated society continue at its current high pace, companies will need to convince their users that online solutions don’t come with inherent risk attached to them.
Speaking on how online security can be improved on an institutional level, Tessian CEO, Tim Sadler, commented:
“Cybersecurity training needs to reflect the fact that different demographics use technology and respond to threats in different ways and that a one-size-fits-all approach to training won’t work. It is also unrealistic to expect every employee to spot a scam or make the right cybersecurity decision 100 per cent of the time, especially during these uncertain times.”
“To prevent simple mistakes from turning into serious security incidents, businesses must prioritise cybersecurity at the human layer. This requires understanding individual employees’ behaviours and using that insight to tailor training and policies to make safe cybersecurity practices truly resonate for each person.”