Nearly Half of Employees Make Mistakes with Cybersecurity Repercussions

New research from firm Tessian reveals why people make mistakes, how blurred lines between work and home contribute, and the factors that influence cybersecurity behaviors 


July 22, 2020 — SAN FRANCISCO — A new report from email security firm Tessian reveals that 43% of US and UK employees have made mistakes resulting in cybersecurity repercussions for themselves or their company. With human error being a leading cause of data breaches today, The Psychology of Human Error report examines why people make mistakes and how they can be prevented before they turn into breaches.


The mistakes people make and why


When asked about what types of mistakes they have made, one-quarter of employees confessed to clicking on links in a phishing email at work. Employees aged between 31-40 were four times more likely than employees aged over 51 to click on a phishing email, while men were twice as likely as women to do so.


Nearly half (47%) of employees cited distraction as a top reason for falling for a phishing scam. This was closely followed by the fact that the email looked legitimate (43%), with 41% saying the phishing email looked like it came from a senior executive or a well-known brand.


In addition to clicking on a malicious link, 58% of employees admitted to sending a work email to the wrong person, with nearly one-fifth (17%) of those emails going to the wrong external party. This simple error leads to serious consequences for both the individual and the company, who must report the incident to regulators as well as their customers. In fact, one-fifth of respondents said their company had lost customers as a result of sending a misdirected email, while one in 10 employees (12%) lost their job.


The main reason cited for misdirected emails was fatigue (43%), closely followed by distraction (41%). With 57% of respondents saying they are more distracted when working from home, the sudden shift to remote working could make businesses more vulnerable to security incidents caused by human error.


How stress impacts cybersecurity


The report’s findings call for businesses to understand the impact stress and working cultures have on human error and cybersecurity, especially in light of the events of 2020. Employees revealed they make more mistakes when they are stressed (52%), tired (43%), distracted (41%) and working quickly (36%).


It is worrying, then, that 61% of respondents said their company has a culture of presenteeism that makes them work longer hours than they need to, while nearly half of employees (46%) have experienced burnout. Businesses should also be mindful of how the global pandemic, and the move to working from home, have impacted employees’ wellbeing and how that relates to security.


Jeff Hancock, a professor at Stanford University and expert in social dynamics, contributed to the report and said, “Understanding how stress impacts behavior is critical to improving cybersecurity. The events of 2020 have meant that people have had to deal with incredibly stressful situations and a lot of change. And when people are stressed, they tend to make mistakes or decisions they later regret. Sadly, hackers prey on this vulnerability. Businesses, therefore, need to educate employees on the ways a hacker might take advantage of their stress during these times, as well as the security incidents that can be caused by human error.”


Why age matters


The report also shows that age, gender and industry play a role in people’s cybersecurity behaviors, revealing that a one-size-fits-all approach to cybersecurity training and awareness won’t work in preventing incidents of human error. Findings include:


  • Half of employees aged 18-30 say they have made mistakes that compromised their company’s cybersecurity, compared with 10% of workers over 51 who say the same.


  • 65% of 18-30 year-olds say they have sent an email to the wrong person, compared with 34% of those over 51.


  • 70% of employees who admitted to clicking a phishing email are aged between 18-40 years old. In comparison, just 8% of those over 51 said they had done the same.


  • Workers in the Technology industry were the most likely to click on links in phishing emails, with nearly half of respondents in this sector (47%) admitting they had done so. This was closely followed by employees in Banking and Finance (45%).


Tim Sadler, CEO and co-founder of Tessian said, “Cybersecurity training needs to reflect the fact that different generations have grown up with technology in different ways. It is also unrealistic to expect every employee to spot a scam or make the right cybersecurity decision 100% of the time. To prevent simple mistakes from turning into serious security incidents, businesses must prioritize cybersecurity at the human layer. This requires understanding individual employees’ behaviors and using that insight to tailor training and policies to make safe cybersecurity practices truly resonate.”