Distraction, stress and fatigue are big reasons why employees make bad cybersecurity decisions, according to a vendor-sponsored report released this morning.
Fifty-two per cent of the 2,000 respondents in the U.S. and the United Kingdom said, in general, they make more mistakes when they are stressed, tired (43 per cent), distracted (41 per cent), working quickly (36 per cent) or burned out (26 per cent).
A quarter of the respondents said that at some point during their career they’ve clicked on a link in a phishing email at work.
Of those, nearly half of respondents (45 per cent) cited distraction as the top reason for falling for a phishing scam. Other reasons were the email looked legitimate (43 per cent), it was supposedly from a senior executive (41 per cent), it was supposedly from a respected brand (41 per cent), followed by “I was tired,” and “I wasn’t paying attention.”
The study, called the Psychology of Human Error, was sponsored by email security vendor Tessian Ltd.
Among other things, it suggests the increasing number of people working from home because of the COVID-19 pandemic may lead to more cyber incidents. Just over half (57 per cent) of respondents agreed they feel more distracted when they work from home.
“Understanding how stress impacts behaviour is critical to improving cybersecurity,” wrote Jeff Hancock, a Stanford University professor of communications and an author of the report. “In 2020, people have experienced extremely stressful situations that have affected their health and finances, against a backdrop of political uncertainty and social unrest, while simultaneously juggling the demands of their jobs. It’s been overwhelming.
“The problem is that when people are stressed and distracted, they tend to make mistakes or decisions they later regret. And sadly, hackers prey on this vulnerability. Businesses need to educate employees on how hackers might take advantage of their stress and explain the scams people could be susceptible to.”
The report also found some gender and demographic differences among respondents. Men who were questioned were twice as likely as women to fall for phishing scams, with 34 per cent of male respondents saying they have clicked on a link in a phishing email versus just 17 per cent of women. “While researchers do not fully understand why gender difference is a factor in phishing attacks, it is known that men – on average – are more likely to take risks than women. This could explain why men are more likely to click on links in phishing emails,” the report says,
Younger workers were five times more likely to admit to errors that compromised their company’s cybersecurity than older generations, with half of 18-30 years olds saying they’ve made such mistakes versus just 10 per cent of workers over 51.
“Cybersecurity training needs to reflect the fact that different generations have grown up with technology in different ways,” said Tim Sadler, CEO and co-founder of Tessian. “It is also unrealistic to expect every employee to spot a scam or make the right cybersecurity decision 100 per cent of the time. To prevent simple mistakes from turning into serious security incidents, businesses must prioritize cybersecurity at the human layer. This requires understanding individual employees’ behaviours and using that insight to tailor training and policies to make safe cybersecurity practices truly resonate.”