Penetration testing and vulnerability scanning are vital and essential parts of any company’s cybersecurity strategy. However, pen testing alone sometimes isn’t enough.
Why employees make security mistakes
According to The Psychology of Human Error report, the primary reasons why employees make security mistakes include:
- Tiredness & stress – 93% of employees say they feel stressed and tired, with 46% of these claiming to have experienced burn-out.
- Untrained – Don’t know enough to stay secure.
- Not paying attention / being distracted – 33% of employees don’t or rarely think about cybersecurity.
- Age – Although the perception is that younger people make mistakes, there is not enough evidence to draw this conclusion. Research shows that older employees may be less aware of cyber threats and cab be less willing to admit mistakes.
Common employee mistakes
Sending emails to the wrong person
According to the survey conducted by Tessian, 58% of people asked admitted to sending an email by accident to the wrong person. Not only does this harm the business’s reputation (20% reported losing a customer), it also harms productivity (12% losing a job).
Sending emails to the wrong person also creates an opening for cyber-attackers. The consequences highlighted in the report include 41% of organisations having to inform their customers. Furthermore, this type of mistake is often not reported (16%).
Falling for phishing scams
25% of employees admitted to clicking on a phishing email, with men twice as likely to be victims, although the report does not state the percentage of women surveyed.
Again with age, it seems that older employees were less likely to fall for a phishing scam. This could be because of an unwillingness to admit mistakes or because they are unaware that they might have fallen victim.
Responding quickly
Many in the report stated that the expectation to respond to emails quickly was mostly to blame. Often, scam or phishing links are disguised as the links are edited, so the displayed text looks legitimate.
For example bbc.co.uk
Although you might think from looking at this link that you will be going to the BBC, the link behind it takes users back to our home page.
Tip! if you are on a desktop/laptop device, you can hover your mouse over the link to see the destination page in the bottom left-hand corner of your screen.
Please note: links to websites are almost always safe as the browser provides protection. Also, most PCs and tablets will contain the latest anti-virus and browsing software. The easiest way to protect yourself against this is to regularly run updates on all your applications and make sure that you have the latest anti-virus software installed.
Scam apps and browsers usually look low quality and will try to scare or tempt you into clicking something that is not secure. For example, ‘you’ve been hacked, click here to restore your computer’ or ‘You have won a free Lamborghini, click here to claim.’
Distracted
Working from home is on the rise due to COVID-19, and an environment shared with other family members and children can lead to not paying proper attention.
Disguised legitimacy
Employees often believe the link they are clicking is genuine because it is:
- Corporate – The email used the details of people who hold high positions within the company, and sending an email in their name often distracts employees from realising that the email address is different
- Branded – They thought it was from a trusted brand
The importance of cybersecurity training
By taking the time to train your employees in risk management, you need to not only train them but put processes in place that is easy to follow. Contact us to learn more about educating your workforce on cybersecurity.
