Friday, 7th August 2020

Security mistakes with repercussions

New research from email security firm Tessian reveals why people make mistakes, how blurred lines between work and home contribute, and the factors that influence cybersecurity behaviours.

A new report from email security firm Tessian reveals that 43% of US and UK employees have made mistakes resulting in cybersecurity repercussions for themselves or their company. With human error being a leading cause of data breaches today, The Psychology of Human Error report examines why people make mistakes and how they can be prevented before they turn into breaches.

The mistakes people make and why

When asked about what types of mistakes they have made, one-quarter of employees confessed to clicking on links in a phishing email at work. Employees aged between 31-40 were four times more likely than employees aged over 51 to click on a phishing email, while men were twice as likely as women to do so.

Nearly half (47%) of employees cited distraction as a top reason for falling for a phishing scam. This was closely followed by the fact that the email looked legitimate (43%), with 41% saying the phishing email looked like it came from a senior executive or a well-known brand.

In addition to clicking on a malicious link, 58% of employees admitted to sending a work email to the wrong person, with nearly one-fifth (17%) of those emails going to the wrong external party. This simple error leads to serious consequences for both the individual and the company, who must report the incident to regulators as well as their customers. In fact, one-fifth of respondents said their company had lost customers as a result of sending a misdirected email, while one in 10 employees (12%) lost their job.

The main reason cited for misdirected emails was fatigue (43%), closely followed by distraction (41%). With 57% of respondents saying they are more distracted when working from home, the sudden shift to remote working could make businesses more vulnerable to security incidents caused by human error.

How stress impacts cybersecurity

The report’s findings call for businesses to understand the impact stress and working cultures have on human error and cybersecurity, especially in light of the events of 2020. Employees revealed they make more mistakes when they are stressed (52%), tired (43%), distracted (41%) and working quickly (36%).

It is worrying, then, that 61% of respondents said their company has a culture of presenteeism that makes them work longer hours than they need to, while nearly half of employees (46%) have experienced burnout. Businesses should also be mindful of how the global pandemic, and the move to working from home, have impacted employees’ wellbeing and how that relates to security.

Jeff Hancock, a professor at Stanford University and expert in social dynamics, contributed to the report and said, “Understanding how stress impacts behavior is critical to improving cybersecurity. The events of 2020 have meant that people have had to deal with incredibly stressful situations and a lot of change. And when people are stressed, they tend to make mistakes or decisions they later regret. Sadly, hackers prey on this vulnerability. Businesses, therefore, need to educate employees on the ways a hacker might take advantage of their stress during these times, as well as the security incidents that can be caused by human error.”

Why age matters

The report also shows that age, gender and industry play a role in people's cybersecurity behaviors, revealing that a one-size-fits-all approach to cybersecurity training and awareness won’t work in preventing incidents of human error. Findings include:

·Half of employees aged 18-30 say they have made mistakes that compromised their company’s cybersecurity, compared with 10% of workers over 51 who say the same.

·65% of 18-30 year-olds say they have sent an email to the wrong person, compared with 34% of those over 51.

·70% of employees who admitted to clicking a phishing email are aged between 18-40 years old. In comparison, just 8% of those over 51 said they had done the same.

·Workers in the Technology industry were the most likely to click on links in phishing emails, with nearly half of respondents in this sector (47%) admitting they had done so. This was closely followed by employees in Banking and Finance (45%).

Tim Sadler, CEO and co-founder of Tessian said, “Cybersecurity training needs to reflect the fact that different generations have grown up with technology in different ways. It is also unrealistic to expect every employee to spot a scam or make the right cybersecurity decision 100% of the time. To prevent simple mistakes from turning into serious security incidents, businesses must prioritize cybersecurity at the human layer. This requires understanding individual employees’ behaviors and using that insight to tailor training and policies to make safe cybersecurity practices truly resonate.“

Yet only four out of 10 security leaders in the UK can answer the question, “How secure, or at risk,...
Half of first-time security analysts working in Security Operations Centres (SOCs) plan to leave aft...
Featuring on-premises, controllable enterprise proxy to securely monitor and process automated certi...
LogRhythm has released its report, The State of the Security Team: Are Executives the Problem? The s...
New release brings cloud-native attacks and vulnerabilities to the forefront of the SOC, gives enter...
The SonicWall Capture Labs threat research team has published the mid-year update to the 2020 SonicW...
BSA | The Software Alliance is pleased that the decision by the European Court of Justice (ECJ) uphe...
Overwork and burnout are very real issues for the IT security industry in 2020, according to the Cha...