43 per cent of employees have made mistakes resulting in cybersecurity repercussions for themselves or their company, according to a new report, The Psychology of Human Error.
The report, by Tessian, surveyed 1,000 workers in the UK and 1,000 workers in the US at the height of the coronavirus outbreak in April, to reveal how stress, distraction and workplace disruption can cause people to make more mistakes at work.
Worryingly, the report found that one in five companies (20 per cent) have lost customers as a result of mistakenly sending an email to the wrong person – an error the majority of employees (58 per cent) admitted to doing. A further 10 per cent of workers said they had lost their job after sending an email to the wrong person.
In addition, one in four survey respondents (25 per cent) admitted to clicking on a link in a phishing email at work. Interestingly, workers in the tech industry were the most likely to click on links in phishing emails, with nearly half of respondents in this sector (47 per cent) admitting they had done so.
When analysing why these mistakes happen, being distracted came out on top. 47 per cent of respondents cited distraction as the top reason for falling for a phishing scam, while 41 per cent said this was why they had sent an email to the wrong person. With 57 per cent of workers admitting they’re more distracted when working from home, Tessian’s report suggests the sudden shift to remote-working this year could open employees and businesses up to even more risks caused by human error.
Other reasons for people clicking on phishing emails included the perceived legitimacy of the email (43 per cent) and the fact that the emails appeared to have come from either a senior executive (41 per cent) or a well-known brand (41 per cent). Fatigue was another factor that drove 44 per cent of employees to sending an email to the wrong person.
With employees saying they make more mistakes at work when they are stressed (52 per cent), tired (43 per cent) and distracted (41 per cent), the report urges businesses to understand the impact stress and working cultures have on human error and cybersecurity, especially in light of this year’s events.
Jeff Hancock, a professor at Stanford University and expert in social dynamics, said: “Understanding how stress impacts behaviour is critical to improving cybersecurity. This year, people have had to deal with incredibly stressful situations and a lot of change. And when people are stressed, they tend to make mistakes or decisions they later regret. Sadly, hackers prey on this vulnerability. Businesses, therefore, need to educate employees on the ways a hacker might take advantage of their stress during these times, as well as the security incidents that can be caused by human error.”
The report also uncovers how age and gender play a role in people’s cybersecurity behaviours. For example, employees aged 18-30 were five times more likely than workers over 51 to have made a mistake that compromised their company’s cybersecurity. Men were also twice as likely as women to fall for phishing scams, with 34% of men saying they’d clicked on a phishing scam versus 17% of women.
Tim Sadler, CEO and co-founder of Tessian, said: “Cybersecurity training needs to reflect the fact that different demographics use technology and respond to threats in different ways and that a one-size-fits-all approach to training won’t work. It is also unrealistic to expect every employee to spot a scam or make the right cybersecurity decision 100 per cent of the time, especially during these uncertain times.
“To prevent simple mistakes from turning into serious security incidents, businesses must prioritise cybersecurity at the human layer. This requires understanding individual employees’ behaviours and using that insight to tailor training and policies to make safe cybersecurity practices truly resonate for each person.”
Read Tessian’s full Psychology of Human Error report here.