Commentary From Crisis Management Expert Edward Segal, Bestselling Author of the Award- Winning Book "Crisis Ahead: 101 Ways to Prepare for and Bounce Back from Disasters, Scandals, and Other Emergencies " (Nicholas Brealey)
For business leaders, there is never a good time for their employees to make mistakes on the job. This is especially true now for workers who have anything to do with the cybersecurity of their companies and organizations. Given the growing risks of cyberattacks across the world and the increased threats posed by Russia in the aftermath of their invasion of Ukraine, these are certainly perilous times.
Indeed, a new study released last week by email security company Tessian found that one in four employees (26%) lost their job in the last 12 months after making a mistake that compromised their company's security.
According to the second edition of Tessian's Psychology of Human Error report, people are falling for more advanced phishing scams—and the business stakes for mistakes are much higher.
Other Key Survey Findings
The study also found that:
- Two-fifths (40%) of employees sent an email to the wrong person, with almost one-third (29%) saying their business lost a client or customer because of the error
- Over one-third (36%) of employees have made a mistake at work that compromised security and fewer are reporting their mistakes to IT
Mistakes Are On The Rise
According to the report:
- On average, a U.S. employee sends four emails to the wrong person every month—and organizations are taking tougher action in response to these mistakes that compromise data.
- Nearly a third of employees (29%) said their business lost a client or customer after sending an email to the wrong person—up from 20% in 2020. One in four respondents (21%) also lost their job because of the mistake, versus 12% in July 2020.
Delivering The Bad News
- Over one-third (35%) of respondents had to report the accidental data loss incidents to their customers, breaking the trust they had built.
Explaining The Mistakes
- When asked why these mistakes happened, half of the employees said they had sent emails to the wrong person because they were under pressure to send the email quickly—up from 34% reported by Tessian in their 2020 study
- Over 40% of respondents cited distraction and fatigue as reasons for falling for phishing attacks.
- More employees attributed their mistakes to fatigue and distraction in the past year, versus figures reported in 2020, likely brought on by the shift to hybrid working, Tessian said.
About The Survey
In January 2021, Tessian commissioned OnePoll to survey 2,000 working professionals: 1,000 in the U.S. and 1,000 in the UK.
Survey respondents varied in age from 18 to more than 51. They worked in various roles across departments and industries and at organizations ranging in size from two to more than 1,000 people. The margin of error is 3.1%.
Surprising Results
'More Businesses Are Losing Customers'
Josh Yavor, the chief information security officer at Tessian, said, "It's surprising to see how many more businesses are losing customers over mistakes like employees sending emails to the wrong recipient and also how many more employees are losing their jobs because of these errors.
"The consequences of accidental data loss are certainly becoming harsher, and businesses are becoming less forgiving for mistakes that turn into serious data breaches.
More Mistakes
Yavor observed that "It's also surprising to see that people are making more mistakes than compromise security as a result of distraction or fatigue in the last 18 months.
"When you combine these findings with the Zoom fatigue study, carried out by Stanford researchers and referenced in the report, it becomes clear that hybrid working set-ups are significantly impacting people's cognitive loads and their abilities to stay focused at work.
Advice For Business Leaders
Offer A Shame-Free Environment
Yavor said that "Employees will be more likely to admit their mistakes or ask questions if the organization offers a shame-free, transparent environment. Why? Because rewards are far more effective than punishment.
Create Positive Security Experiences
"So rather than scaring employees into compliance, encourage employees to engage with security by creating positive security experiences so that you can cement a partnership mindset between security teams and staff. Those positive incentives will help combat security nihilism and build stronger security cultures," he predicted.
Encourage Breaks
Yavor counseled executives to "Consider how stress impacts cybersecurity behaviors, particularly when employees work in a remote or hybrid way, and take steps to mitigate this.
"For example, encourage employees to take regular breaks between virtual meetings or introduce 'no-video meeting' days, to help prevent cognitive overload caused by Zoom fatigue. Another way is to introduce intelligent technology solutions that can understand employees' behaviors and intervene when a mistake is about to occur, nudging the individual to make a safe cybersecurity decision," Yavor recommended.
Educate Workers
He thought business leaders should, "Educate employees on advanced phishing attacks - like business email compromise and account takeover—and new channels in which cybercriminals will target them—like smishing. By understanding what to look out for, why they could be a target, and the steps they should take if something doesn't look right, employees will feel more confident in spotting attacks and reporting them to IT teams."
Customize Training
Yavor recommended that companies and organizations "Tailor security awareness training to account for differences in security cultures and behaviors across different departments and demographics.
"Employees in highly regulated functions like finance, operations and legal have to comply with strict data regulations on a daily basis, and this means security risks are frequently top of mind. This will likely impact the security cultures in these departments and, consequently, the behaviors of the employees within them," he concluded.
###