New Tessian report reveals that working environments stop people making safe cybersecurity decisions at work

12th June 2019 - London, UK. Today’s working environments are making it impossible for employees to make the right decision 100% of the time when faced with a potential cyber threat on email, reveals a new report from cybersecurity company Tessian.

The report - Why Do People Make Mistakes? - presents findings from a new survey, conducted by Tessian, in which 1,000 UK employees were asked about their working environment and practices. Additionally, the report includes insights from cyber-psychologists Dr Helen Jones, University of Central Lancashire and Professor John Towse, Lancaster University, which further explains how certain factors in the workplace can cause people to make suboptimal decisions, leading to dangerous behaviour on email.

The research reveals how overwhelming workloads, office distractions, fatigue and stress affect a person’s cognitive capacity, potentially impairing an employee’s ability to identify signs of a potential cyber threat - such as a phishing scam or sending an email to the wrong address. This, Tessian argues, puts businesses’ data and systems at risk given that 52% of UK employees say they’ve accidentally sent a work email to the wrong person.

Tim Sadler, CEO at Tessian said, “Every time someone sends or receives an email, they are making a decision. When you consider how much time we spend on email, it’s little wonder that sometimes those decisions result in mistakes. However, it takes just one mistake - one email being sent to the wrong person or falling for one convincing message - to compromise your company’s data and ruin its reputation. Businesses, therefore, need to consider how they can protect their employees on email.”

The factors that affect people’s ability to make the right cybersecurity decisions at work include:

#1: Quick-to-click cultures

Over half of UK employees (58%) say there is an expectation within their organisation to respond to emails quickly. Dependency on mobile phones isn’t helping the situation; nearly six in ten (59%) respondents say they use their mobile phones to send work emails out of office hours, with nearly a third doing so at least 2-3 times a week. Two in five respondents (39%) admit they respond to emails much more quickly on their phones.

Dr Helen Jones said, “Studies have repeatedly shown that time pressures significantly impact decision accuracy. Under pressure, we are more likely to rely on impulsive, low-effort behavioural responses and dedicate less attention to the situation in front of us. What’s more, an increased pressure upon employees to be constantly connected on-the-go means there is a higher likelihood of distraction and, therefore, mistakes.”

#2: Tired and stressed

The majority of UK employees (92%) feel tired at work, with people feeling most tired on Wednesday afternoons. In addition, 91% say they feel stressed at work, with people feeling stressed, on average, half of the working week (2.4 days).

Worryingly, over three quarters of respondents (76%) say they make more mistakes when they are tired, while 71% say they make more mistakes when stressed.

“Tired and stressed employees pose a real risk to email security,” explains Jones. “When we are tired and stressed, we are less likely to question the legitimacy of messages and miss the cues that signal a threat. We are also much more impulsive when we are tired, making it harder to resist the urge to respond to a tempting or persuasive request in a phishing email.”

#3: Information overload

More than two in five UK employees (44%) describe their current workload as either ‘overwhelming’ or ‘heavy’. On top of a never-ending to-do list, employees are faced with many distractions, including:

  1. Office noise (37%)
  2. Colleagues ‘dropping by’ (34%)
  3. Email notifications (30%)
  4. Meetings (26%)
  5. Notifications on their personal phones (20%)

When juggling multiple tasks at once, employees will likely rely more on habitual behaviours rather than engaging in analytical thinking. This makes businesses more vulnerable to threats over email given that a person’s ability to focus is impaired.

#4: Trickery and trust

Hackers are becoming smarter in their approaches to phishing, often impersonating well-known brands or senior executives within an organisation. One in 10 respondents admitted to clicking on a phishing email at work. This figure was much higher in the financial services industry where nearly one in three (29%) respondents in this sector admitted to clicking on a phishing email.

Sadler concludes, “Businesses cannot rely on employees being the first line of defence. Mistakes happen, especially when people are tired, stressed and overworked. Companies need to help people make conscious and safe cybersecurity decisions on email, putting a safety net in place to prevent the inevitable. Only then, can businesses protect their data and systems from human failure on email.”

Want to find out more? Read the report: Why Do People Make Mistakes?