Nearly half of employees have made mistakes that have had cybersecurity repercussions for themselves or their companies, according to a new report from email security firm Tessian.
The report, The Psychology of Human Error, surveyed 1,000 workers in the US and 1,000 in the UK at the height of the COVID-19 outbreak in April. It found that 43% of workers admitted to having made mistakes that resulted in cybersecurity repercussions.
The report also found that 20% of companies have lost customers as a result of mistakenly sending an email to the wrong person – an error that 58% of employees admitted to having made. Another 10% said they had lost their job after sending an email to the wrong person.
One in four survey respondents said they had clicked on a link in a phishing email at work, according to the report. Surprisingly, tech-industry workers were the most likely to click on links in phishing emails, with 47% saying they had done so.
Distraction was cited as the number-one reason these mistakes happened, according to Tessian. Forty-seven percent of respondents cited distraction as the top reason for falling for a phishing scam, while 41% said it as why they had sent an email to the wrong person. Fifty-seven percent of workers admitted they’re more distracted when working from home – meaning the recent shift to remote work could open businesses up to more risks caused by human error.
Other reasons given for clicking on phishing emails included the perceived legitimacy of the email (43%) and the fact that the email appeared to come from a senior executive (41%) or a well-known brand (41%). Forty-four percent of respondents cited fatigue as a factor in sending an email to the wrong person.
Employees said they made more mistakes at work when they were stressed (52%), tired (43%) and distracted (41%).
“Understanding how stress impacts behaviour is critical to improving cybersecurity,” said Jeff Hancock, a professor at Stanford University and an expert in social dynamics. “This year, people have had to deal with incredibly stressful situations and a lot of change. And when people are stressed, they tend to make mistakes or decisions they later regret. Sadly, hackers prey on this vulnerability. Businesses, therefore, need to educate employees on the ways a hacker might take advantage of their stress during these times, as well as the security incidents that can be caused by human error.”
Age and gender also played a role in people’s cybersecurity behaviour, according to the report. Employees aged 18-30 were five times more likely than those over 51 to have made a mistake that compromised their company’s cybersecurity. Men were twice as likely as women to fall for phishing scams, with 34% of men but only 17% of women saying they’d clicked on a phishing email.
“Cybersecurity training needs to reflect the fact that different demographics use technology and respond to threats in different ways and that a one-size-fits-all approach to training won’t work,” said Tim Sadler, co-founder and CEO of Tessian. “It is also unrealistic to expect every employee to spot a scam or make the right cybersecurity decision 100% of the time, especially during these uncertain times. To prevent simple mistakes from turning into serious security incidents, businesses must prioritise cybersecurity at the human layer. This requires understanding individual employees’ behaviours and using that insight to tailor training and policies to make safe cybersecurity practices truly resonate for each person.”