Did you know that 43% of UK and US employees have made mistakes that have had in cybersecurity repercussions for themselves or their company? That’s according to Tessian’s latest report, The Psychology of Human Error, which reveals employees admit to accidentally clicking on links in phishing emails and sending information to the wrong person.
While these mistakes may seem trivial on the surface, phishing is the number one threat vector in use today and one in five companies told us they have lost customers as a result of an employee sending an email to the wrong person. So, far from red-faced embarrassment, these mistakes are compromising businesses’ cybersecurity.
Our research shows, however, that we can’t simply blame people for their mistakes. There are a number of factors at play that increase the probability of people making mistakes at work—things like stress, distraction, fatigue and fast-paced working cultures. In fact, a significant number of respondents in our report said they are more likely to make mistakes when they are stressed (52%), tired (43%) or distracted (41%).
So what can leaders do to prevent their employees’ mistakes before they turn into serious security incidents?
Understand employee behaviours
First, reconsider how you deliver cybersecurity training. A one-size-fits-all approach to training won’t work; it needs to reflect the fact that different employees—particularly those of different age groups—use technology and detect and respond to threats in different ways. (We discuss this in more detail with a psychology expert from Stanford University in the report.)
Second, understand that it’s unrealistic for employees to act as your first line of defence. You cannot expect every employee to spot every scam or make the right cybersecurity decision 100% of the time, particularly when they’re dealing with stressful situations and working in environments filled with distractions.
Instead, learn how stress impacts people’s cybersecurity behaviours and tailor policies and procedures accordingly. Adopt security solutions that understand employee behaviours and alert people, in the moment, to any risks in front of them. By warning individuals in real time you can help override impulsive decisions and make people think twice before they do something they might regret.
To err is human
Third, normalise the reporting of mistakes and remove the shame. For older workers especially, self-presentation and respect are hugely important in the workplace. They may be reluctant to report mistakes because they feel ashamed due to preconceived notions about older generations and technology. In fact, nearly a quarter of over-51s said that, despite making an error, they didn’t report it to their IT team.
Data security incidents happen 38 times more often than IT leaders think. Without visibility, mistakes that compromise cybersecurity are happening without IT teams even knowing. Companies need to create a security culture that encourages employees to report their mistakes to IT, and provide clear channels for them to do this.
With remote working here to stay—plus the distractions it comes with—and with hackers continually finding ways to manipulate people into complying with their requests, business leaders must prioritise security at the human layer.
This requires understanding individual employees’ behaviours, learning how stress impacts decision-making and using that insight to tailor training and policies to make safe cybersecurity practices truly resonate for each person. Only by understanding why people make mistakes can you start to prevent the incidents of human error before they turn into security breaches.
Tim Sadler is CEO and co-founder of cybersecurity firm Tessian.