Making security mistakes may come with a high price for employees
Tessian reveals that one in four employees lost their job in the last 12 months, after making a mistake that compromised their company’s security.
The new report, which explores why people make errors at work, also found that:
- 26% of respondents fell for a phishing email at work, in the last 12 months
- 40% of employees sent an email to the wrong person, with 29% saying their business lost a client or customer because of the error
- 36% of employees have made a mistake at work that compromised security and fewer are reporting their mistakes to IT
When asked why these mistakes happened, half of employees said they had sent emails to the wrong person because they were under pressure to send the email quickly – up from 34% reported by Tessian in its 2020 study – while over two-fifths of respondents cited distraction and fatigue as reasons for falling for phishing attacks. More employees attributed their mistakes to fatigue and distraction in the past year, versus figures reported in 2020, likely brought on by the shift to hybrid working.
“With the shift to hybrid work, people are contending with more distractions, frequent changes to working environments, and the very real issue of Zoom fatigue – something they didn’t face two years ago,” said Jeff Hancock, a professor at Stanford University who contributed to the report.
“When distracted and fatigued, people’s cognitive loads become overwhelmed and that’s when mistakes happen. Businesses need to understand how factors like stress can impact people’s cybersecurity behaviors and take steps to support employees so that they can work productively and securely.”
People are falling for more advanced phishing attacks
While the number of employees who fell for phishing attacks only increased by 1% in the last 12 months, people were far more likely to fall for more advanced phishing attacks than they were in 2020.
52% of employees said they fell for a phishing email because the attacker impersonated a senior executive at the company – up from 41% reported in 2020. In comparison, click-through rates on phishing emails whereby threat actors impersonated well-known brands dropped. These findings mirror those reported by the FBI, which found that business email compromise attacks (BEC) are eight times more common than ransomware and the losses from these attacks continue to grow year on year.
People were also susceptible to phishing attacks over SMS (smishing), with one-third of respondents being duped by a smishing request in the last 12 months, compared to 26% of those who fell for phishing scams over email. Older employees were more susceptible to smishing attacks; one-third of respondents aged over 55 complied with requests in smishing scam versus 24% of 18-to 24-year-olds.
The consequences for accidental data loss are more severe
On average, a US employee sends four emails to the wrong person every month – and organizations are taking tougher action in response to these mistakes that compromise data. 29% of employees said their business lost a client or customer after sending an email to the wrong person – up from the 20% in 2020. 21% of respondents also lost their job because of the mistake, versus 12% in July 2020.
35% of respondents had to report the accidental data loss incidents to their customers, breaking the trust they had built. Businesses also had to report the incidents to regulators. In fact, the number of breaches reported to the Information Commissioner’s Office, caused by data being sent to the wrong person on email, was 32% higher in the first nine months of 2021 than the same period in 2020.
Employees are fearful of reporting security mistakes
With harsher consequences in place, fewer employees are reporting their mistakes to IT. 21% said they didn’t report security incidents, versus 16% in 2020, resulting in security teams having less visibility of threats in the organization.
Josh Yavor, CISO at Tessian, said, “We know that the majority of security incidents begin with people’s mistakes. For IT and security teams to be successful, they need visibility into the human layer of an organization, so they can understand why mistakes are happening and proactively put measures in place to prevent them from turning into serious security incidents. This requires earning the trust of employees; and bullying employees into compliance won’t work.
“Security leaders need to create a culture that builds trust and confidence among employees and improves security behaviors, by providing people with the support and information they need to make safe decisions at work.”