Download the report.
Mistakes can cause significant damage to a company’s reputation, bottom line, and future. In fact, 88% of data breaches are caused by human error. That’s why we often hear that humans are the “weakest link” in security. But, this is not the case.
People are every organization’s most important asset, and businesses must find ways to protect them, while enabling them to work securely.
In this report, we combine survey data and insights from Stanford University Professor Jeff Hancock to explain the psychology behind human error and the reasons why people make mistakes at work. By doing so, businesses can better understand how to prevent incidents of human error from happening before they turn into breaches.
Younger employees were 5x more likely to admit to errors that compromised cybersecurity, with 50% of 18-30 years olds saying they have made such mistakes versus just 10% of workers over 51.
Professor Hancock suggests that this may be because younger workers are actually more aware that they have made a mistake and are more willing to admit their errors. For older generations, he explained, self-presentation and respect in the workplace is hugely important. They may be more reluctant to admit they’ve made a mistake because they don’t want to “lose face”. Businesses, therefore, need to deshame the reporting of mistakes.
One in four employees (25%) said they have clicked on a phishing email at work. Men were twice as likely as women to fall for phishing scams, with 34% of male respondents saying they have clicked on a link in a phishing email versus just 17% of women.
Interestingly, older employees were the least susceptible to phishing scams, with just 8% of workers over 51 saying they had clicked on a phishing link. 32% of 31-40 year olds said the same. However, the older generation were also the least likely to know what a phishing email was.
“The older generation have, in many ways, the potential tools and mindsets needed for detecting phishing attacks. They have more life experience, and they tend to have strong, close networks which means they are good at detecting when something doesn’t ‘feel’ quite right,” said Hancock. “But if you’re less experienced with these kinds of attacks, they’re going to be harder for you to spot.”
These findings explain why companies need to tailor security training for different age groups if they want the teachings to stick. “Different generations use tech, and have grown up with tech, in different ways. Training needs to reflect that,” said Hancock.
“Younger employees have a thirst for knowledge, so teach them the techniques that hackers will use to target them. Then, when they see a scam, they’ll be able to unpick it and understand it. On the other hand, we shouldn’t think that people over 50 are tech-illiterate. Businesses need to understand that respect and self-presentation are hugely important to this age group so telling them they don’t understand something isn’t going to be well-received. Instead, engage them in a conversation and help them understand how their strengths and weaknesses could be used in an attack.”
Our research suggests that working in tech doesn’t necessarily make you cybersecurity savvy. Employees in the technology industry were the most likely to click on links in phishing emails, with nearly half of respondents in this sector (47%) admitting they had done so. This was closely followed by employees in banking and finance (45%).
The tech industry also had the highest percentage of employees that agree there is an expectation in their organization to respond to emails quickly (85%), while 77% in the financial sector said the same. This suggests that quick-to-click and fast-paced working cultures could result in employees mistakenly clicking on phishing emails.
Nearly half of respondents (45%) cited distraction as the top reason for falling for a phishing scam. And with 57% of workers admitting they’re more distracted when working from home, the sudden shift to remote-working this year could open businesses up to greater risks.
Other reasons for clicking on phishing emails included the perceived legitimacy of the email (43%) and the fact that it appeared to have come from either a senior executive (41%) or a well-known brand (40%). Impersonating a position of trust or authority is a common and effective tactic used by hackers in phishing campaigns. To learn more, read this blog.
Another common mistake with cybersecurity repercussions is sending emails to the wrong person, and the majority of respondents (58%) said they have done this at work. Nearly one fifth (17%) of these misdirected emails were sent to someone outside of the organization.
The consequences of sending an email to the wrong person are far more severe than just red-faced embarrassment—one in five companies (20%) reported losing a customer as a result of the error, while one in ten workers said they lost their job (12%).
The top reason cited for sending emails to the wrong person was fatigue. In fact, the overwhelming majority of workers (93%) say they are tired and stressed at some point during the working week. Perhaps more worryingly, 46% of workers have experienced burnout during their career.
As well as having detrimental consequences for employees’ mental wellbeing, greater levels of stress and fatigue also increase the likelihood that they’ll make mistakes with serious cybersecurity repercussions.
Half of respondents (52%) told us that they’re more likely to make mistakes at work if they are stressed, while 43% say they are more error-prone when they are tired. Over a quarter of people will make mistakes when they feel burned out, and, with nearly half of workers experiencing burnout, the risks are high.
One third of respondents (33%) told us they rarely or never think about cybersecurity when at work. That’s the thing: not every employee is a cybersecurity expert. Your employees are focused on the job you hired them to do and when faced with to-do lists, distractions, and pressure to get things done quickly, cognitive loads become overwhelming and mistakes can happen.
To successfully prevent mistakes from turning into serious security incidents, businesses have to take a more human approach.
Training and policies help. However, combining this with machine intelligent technology that alerts individuals in real-time of potential phishing threats or mistakes will make them think twice before doing something they might regret. “People learn best when they get fast feedback and when that feedback is in context,” said Hancock. “So not only will real-time, contextual alerts reduce risks, it will also improve your human security layer.”
Read the full report to find out more.