43 percent of employees have admitted they were responsible for cybersecurity incidents that affected themselves or the company. The details are contained in Tessian’s latest report entitled: The Psychology of Human Error. Instead of focusing on blaming and shaming users’, this report seeks to uncover what causes mistakes to happen
The report surveyed 1,000 employees in the UK and the US, respectively. Interestingly, it was conducted in April as workers were adjusting to lockdown. As a result, it reveals the impact that stress, distraction and disruption to the workplace had on people’s judgement.
Tim Sadler, CEO and co-founder of Tessian, commented: “Cybersecurity training needs to reflect the fact that different demographics use technology and respond to threats in different ways and that a one-size-fits-all approach to training won’t work. It is also unrealistic to expect every employee to spot a scam or make the right cybersecurity decision 100 per cent of the time, especially during these uncertain times.
“To prevent simple mistakes from turning into serious security incidents, businesses must prioritise cybersecurity at the human layer. This requires understanding individual employees’ behaviours and using that insight to tailor training and policies to make safe cybersecurity practices truly resonate for each person.”
Why are employees making these mistakes?
Tessian worked with Jeff Hancock, the Harry and Norman Chandler Professor of Communication at Stanford University and expert in trust and deception, to explain how certain factors impact human error. Unsurprisingly, distraction, stress and tiredness all figure high on the reasons why mistakes are made. No matter how much training employees undergo, these three issues will always increase the risk of an error.
Stress is related to age and presumably, the lack of coping mechanism. 62 percent of those aged 18-30 years old were affected compared to 45% of those aged 51+. According to Hancock: “The problem is that when people are stressed and distracted, they tend to make mistakes or decisions they later regret. And sadly, hackers prey on this vulnerability. Businesses need to educate employees on how hackers might take advantage of their stress and explain the scams people could be susceptible to.”
Tiredness (43%) and distraction (41%) are also significant factors when it comes to making mistakes. With remote working set to continue for the foreseeable future, organisations will need to develop new health approaches. Many studies over the last few months have shown that employees feel they have to work longer hours when at home.
It raises the question of what health policies organisations are implementing to support remote workers. It is far easier to manage workload and stress in an office than it is when the worker is remote. Additionally, distractions at home force employees to change their working hours which means time management becomes complex.
Users’ falling for phishing scams but are employers part of the problem?
Unsurprisingly, phishing was a key point of failure. The assumption among cybersecurity teams is that users’ take no notice of cybersecurity training. Respondents put a different view on that. Workers in the tech industry (47%) and financial services (45%) topped the list of those admitting to falling for phishing attacks. The average was just 25% of employees across all the industries.
The most common reason from both industries for this was an expectation (tech sector 85%, financial services (77%) that they would respond to emails quickly. It means that employees are not taking the time to check the veracity of emails. Criminals using phishing campaigns are getting smarter and making their email more believable. As employers pressure staff to respond faster, mistakes will continue to happen.
The report also shows that men (34%) were twice as likely as women (17%) to click on a phishing email. Gender is an issue in other studies. ResearchGate lists several studies that confirm the gender bias when it comes to falling for phishing attacks.
Age is another issue that Tessian identify in this report. It breaks into two parts. Those more likely to click on phishing emails are those aged 31-40 (32%). This age group is likely to contain team leaders and middle managers with likely heavy workloads. Based on the employer demands for responsiveness, these are most likely to feel that pressure.
The other age-related issue is awareness of phishing. This survey shows that baby boomers (51+) are least likely to know what a phishing attack is. It is a result that jars with a recent survey from Comparitech. Its survey shows that those aged 55+ (66%) were most aware of phishing. It shows that 18-22 year-olds (47%) were the least aware.
Poor email hygiene loses customers
Sending emails to the wrong person is a major issue for organisations. It results in breach notifications to regulators, fines, lost customers and damaged reputations. In this survey, 58% admitted to making this mistake with 20% admitting the company lost customers.
The survey gives tiredness (44%), being distracted (41%) and not paying attention (36%) as the main reasons for misdirected email. As with falling for phishing emails, the pressure to respond to email (34%) is well represented.
One of the causes of tiredness is the number of video calls that employees are taking at the moment. According to Hancock: “Having a conversation on Zoom is a very different experience than having a conversation in person. When you’re face-to-face, for example, you don’t stare directly at someone for long periods of time when they’re talking. Now and then, you look away.
“However, on Zoom, you have an audience – sometimes of multiple people – constantly staring directly back at you. All the while, we are unable to move because we have to keep our head in the frame. It’s intense and exhausting, especially if you are doing it many times a day.”
Enterprise Times: What does this mean?
There is already a large body of evidence that cybersecurity incidents have risen during the lockdown. It is not just down to poor behaviour by employees as some surveys would suggest. There is also a belief that employees are enjoying a more relaxed work environment during the lockdown. There is little evidence for that when issues such as tiredness and distraction are looked at.
Organisations also need to pay more attention to their business processes. One of the reasons that Business Email Compromise (BEC) attacks are successful is the lack of contact with colleagues. Pressure to respond to emails quicker means there is less time to verify the contents of an email. There is also less information security information sharing as people are less connected than before.
Many organisations have increased their training programmes or, at least, encouraged employees to learn new skills. The problem is that employees learn differently. Talk to any classroom trainer, and they can quickly identify those who are struggling or who need a different approach to learn. This is not happening during the lockdown. Employers need to address this.
Perhaps the biggest issue, however, is employee health and in particular, mental health. Stress and burnout are both called out in this report. Organisations need to rethink existing policies and develop new approaches to support remote workers. Failure to do so will result in more mistakes and potentially lost customers and more significant regulatory fines.