The stresses on staff working from home for extended periods is opening businesses up to a greater risk from cybersecurity incidents.
As the great global remote-working experiment for many office workers approaches its fifth month, employees are still struggling to adjust to both the practical and behavioural changes that the sudden change has called for. Email security firm Tessian found that increased levels of stress reported by workers in recent months meant it was more likely that businesses would experience cybersecurity incidents as a result of human error.
Its Psychology of Human Error report surveyed 1,000 workers in the UK and 1,000 workers in the US at the height of the coronavirus outbreak in April 2020, to reveal how stress, distraction and workplace disruption led to people making mistakes at work. Over half (52%) of employees said they were more error-prone while stressed, while over two-fifths said they made more mistakes when they felt tired (41%) or were distracted (42%). Small wonder, then, that 43% employees reported that they had made mistakes resulting in cybersecurity repercussions for themselves or their company.
When looking at the reason why one in four of respondents admitted to falling for phishing scams, 47% of respondents cited distraction as the main cause, with 57% of workers claiming that they were more distracted when working from home.
Jeff Hancock, professor of communication at Stanford University, suggested that the new normal of working from home means that the once clear lines between personal and professional lives had become blurred, making it more difficult to adopt the appropriate mindset for each scenario. The findings echo a report from Slack in mid-May, which concluded that working from home made it more difficult for remote workers to effectively “switch off” after a day’s work.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
“Working in unusual environments can be stressful and distracting,” said Hancock. “Prior to the pandemic, people were used to operating in distinct spaces – home, work, social – and we had different ways of understanding the world in each space. The events of 2020 mean these spaces have blurred, and we’ve had to quickly learn new ways of operating and this has its challenges.”
Other reasons for people clicking on phishing emails included the fact that they looked legitimate (43%) and the fact that they appeared to have come from a senior executive (41%) or a well-known brand (also 41%). Men were twice as likely as women to fall for phishing scams, with 34% of male respondents saying they have clicked on a link in a spoof email compared to just 17% of women.
Those working in the tech industry were the most likely to click on phishing emails, with nearly half of respondents in this sector (47%) admitting having done so. This was closely followed by employees in banking and finance, with 45% of workers admitting to have clicked on phishing links in emails.
Fatigue was another factor in causing workers to click on malicious links, and was also cited as a top reason for sending an email to the wrong person by 44% of respondents. Nearly half (46%) of respondents said they had experienced burnout in their career.
Such mistakes are leading to disastrous consequences for employers and employees, Tessian found: one in five companies reported that they had lost customers as a result of a misdirected email that resulted in a data breach.
Hancock warned that hackers continued to exploit the confusion caused by COVID-19 and the resulting shift to remote working. “This year, people have had to deal with incredibly stressful situations and a lot of change. And when people are stressed, they tend to make mistakes or decisions they later regret,” he said.
“Sadly, hackers prey on this vulnerability. Businesses, therefore, need to educate employees on the ways a hacker might take advantage of their stress during these times, as well as the security incidents that can be caused by human error.”
SEE: TechRepublic Premium editorial calendar: IT policies, checklists, toolkits, and research for download (TechRepublic Premium)
The report also revealed the role of age in employees’ cybersecurity behaviours. Tessian found that younger employees were five times more likely than their older peers to admit to errors that compromised their employer’s cybersecurity, with half of 18-30 year-olds saying they’d made such mistakes compared to just 10% of workers over the age of 51.
This could simply be because younger generations are typically more tech-savvy and can more easily spot when they’ve made an error, Tessian’s report said. Alternatively, older generations “may be more reluctant to admit they’ve made a mistake” due to shame or fear of losing face, it suggested.
Tim Sadler, CEO and co-founder of Tessian, said it was “unrealistic” to expect every employee to always make the correct IT security decisions “100% of the time”, and suggested that businesses could help prevent breaches by better understanding the psychological reasons that caused people to make mistakes.
“To prevent simple mistakes from turning into serious security incidents, businesses must prioritise cybersecurity at the human layer,” said Sadler. “This requires understanding individual employees’ behaviours and using that insight to tailor training and policies to make safe cybersecurity practices truly resonate for each person.”