Research Shows How To Prevent Mistakes Before They Become Breaches

  • By Maddie Rosenthal
  • 22 July 2020

We all make mistakes. But with over two-fifths of employees saying they’ve made mistakes at work that have had security repercussions, businesses need to find a way to stop mistakes from happening before they compromise cybersecurity. 

That’s why we developed our report The Psychology of Human Error, with the help of Jeff Hancock, a professor at Stanford University and expert in social dynamics online. 

We wanted to understand why these mistakes are happening, rather than simply dismissing incidents of human error as people acting carelessly or labeling people the ‘weakest link’ when it comes to security. By doing so, we hope businesses can better understand how to protect their people, and the data they control

Key findings:

  • 43% of employees have made mistakes that have compromised cybersecurity
  • A third of workers (33%) rarely or never think about cybersecurity when at work
  • 52% of employees make more mistakes when they’re stressed, while 43% are more error-prone when tired
  • 58% have sent an email to the wrong person at work and 1 in 5 companies lost customers after an employee sent a misdirected email 

Read on to learn why this matters. You can also register for our webinar on August 19 here. We’ll be exploring key findings from the report with Jeff Hancock. You’ll walk away with a better understanding of how hacker’s are manipulating employees and what you can do to stop them.

What mistakes are people making? 

The majority of our survey respondents said they had sent an email to the wrong person, with nearly one-fifth of these misdirected emails ending up in the wrong external person’s inbox. 

Far from just red-faced embarrassment, this simple mistake has devastating consequences. Not only do companies face the wrath of data protection regulators for flouting the rules of regulations like GDPR, our research reveals that one in five companies lost customers as a result of a misdirected email, because the trust they once had with their clients was broken. What’s more, one in 10 workers said they lost their job. 

Another mistake was clicking on links in phishing emails, something a quarter of respondents (25%) said they had done at work. This figure was significantly higher in the Technology industry however, with 47% of workers in this sector saying they’d fallen for phishing scams. It goes to show that even the most cybersecurity savvy people can make mistakes. 

Interestingly, men were twice as likely as women to fall for phishing scams. While researchers aren’t 100% sure as to why gender differences play a factor in phishing susceptibility, our report does show that demographics play a role in people’s cybersecurity behaviors at work. 

What’s causing these mistakes to happen? 

1. Younger employees are 5x more likely to make mistakes

50% aged 18-30 years olds said they had made such mistakes with security repercussions for themselves or their organization. Just 10% of workers over 51 said the same. 

This disparity, our report suggests, is not because younger workers are more careless. Rather, it may be because younger workers are actually more aware that they have made a mistake and are also more willing to admit their errors.

For older generations, Professor Hancock explains, self-presentation and respect in the workplace are hugely important. They may be more reluctant to admit they’ve made a mistake because they feel ashamed due to preconceived notions about their generations and technology.

Businesses, therefore, need to not only acknowledge how age affects cybersecurity behaviors but also find ways to deshame the reporting of mistakes in their organization.

2. 93% of employees are stressed and tired

Employees told us they make more mistakes at work when they are stressed (52%), tired (43%), distracted (41%) and working quickly (36%). 

This is concerning when you consider that an overwhelming 93% of employees surveyed said they were either tired or stressed at some point during the working week. This isn’t helped by the fact that nearly two-thirds of employees feel chained to their desks, with 61% saying there is a culture of presenteeism in their organization that makes them work longer hours than they need to. 

The Covid-19 pandemic has put people under huge amounts of stress and change. In light of the events of 2020, our findings call for businesses to empathize with people’s positions and understand the impact stress and working cultures have on cybersecurity.

“Understanding how stress impacts behavior is critical to improving cybersecurity. When people are stressed and distracted, they tend to make mistakes or decisions they later regret.”
Jeff Hancock The Harry and Norman Chandler Professor of Communication at Stanford University

3. 57% of employees are being driven to distraction

47% of employees surveyed cited distraction as a top reason for falling for a phishing scam, while two-fifths said they sent an email to the wrong person because they were distracted. 

With over half of workers (57%) admitting they’re more distracted when working from home, the sudden shift to remote-working could open businesses up to even more risks caused by human error. It’s hardly surprising. We suddenly had to set-up offices in the homes we share with our young children, pets and our housemates. There’s a lot going on, and mistakes are likely to happen. 

“Working in unusual environments can be stressful and distracting. The events of 2020 mean our personal and professional spaces have blurred, and we’ve had to quickly learn new ways of operating and this has its challenges.”
Jeff Hancock Stanford University

4. 41% thought phishing emails were from someone they trusted

Over two-fifths of people (43%) mistakenly clicked on phishing emails because they thought the request was legitimate, while 41% said the email appeared to have come from either a senior executive or a well-known brand. 

Over the past few months, we’ve seen hackers impersonating well-known brands and trusted authorities in their phishing scams, taking advantage of people’s desire to seek guidance and information on the pandemic.

Impersonating someone in a position of trust or authority is a common and effective tactic used by hackers in phishing campaigns. Why? Because they know how difficult or unlikely it is to ignore a request from someone you like, respect or report into. 

Businesses need to protect their people from these phishing scams. Educate staff on the ways hackers could take advantage of their circumstances and invest in solutions that can detect the impersonations, when your distracted and overworked employees can’t.

But how can businesses prevent these mistakes from happening in the first place? 

To successfully prevent mistakes from turning into serious security incidents, businesses have to take a more human approach. 

It’s all too easy to place the blame of data breaches on people’s mistakes. But businesses have to remember that not every employee is an expert in cybersecurity. In fact, a third of our survey respondents (33%) said they rarely or never think about cybersecurity when at work. They are focused on getting the jobs they were hired to do, done.

Training and policies help. However, combining this with machine intelligent security solutions – like Tessian – that automatically alert individuals of potential threats in real-time is a much more powerful tool in preventing mistakes before they turn into breaches. 

Alerting employees to the threat in-the-moment helps override impulsive and dangerous decision-making that could compromise cybersecurity. By using explainable machine learning, we arm employees with the information they need to apply conscious reasoning to their actions over email, making them think twice before doing something they might regret. 

“People learn best when they get fast feedback and when that feedback is in context. So not only will these real-time, contextual alerts reduce risks, it will also improve your human security layer.”
Jeff Hancock Stanford University

And with greater visibility into the behaviors of your riskiest and most at-risk employees, your teams can tailor security training and policies to influence and improve staff’s cybersecurity behaviors.

Only by protecting people and preventing their mistakes can you ensure data and systems remain secure, and help your people do their best work.

Read the full Psychology of Human Error report here.

Maddie Rosenthal