43% of US and UK employees have made mistakes resulting in cybersecurity repercussions for themselves or their company, according to a Tessian report.
With human error being a leading cause of data breaches today, the report examines why people make mistakes and how they can be prevented before they turn into breaches.
Human error: The impact on cybersecurity
When asked about what types of mistakes they have made, one-quarter of employees confessed to clicking on links in a phishing email at work. Employees aged between 31-40 were four times more likely than employees aged over 51 to click on a phishing email, while men were twice as likely as women to do so.
47% of employees cited distraction as a top reason for falling for a phishing scam. This was closely followed by the fact that the email looked legitimate (43%), with 41% saying the phishing email looked like it came from a senior executive or a well-known brand.
In addition to clicking on a malicious link, 58% of employees admitted to sending a work email to the wrong person, with 17% of those emails going to the wrong external party.
This simple error leads to serious consequences for both the individual and the company, who must report the incident to regulators as well as their customers. In fact, one-fifth of respondents said their company had lost customers as a result of sending a misdirected email, while 12% of employees lost their job.
The main reason cited for misdirected emails was fatigue (43%), closely followed by distraction (41%). With 57% of respondents saying they are more distracted when working from home, the sudden shift to remote working could make businesses more vulnerable to security incidents caused by human error.
How stress impacts cybersecurity
The report’s findings call for businesses to understand the impact stress and working cultures have on human error and cybersecurity, especially in light of the events of 2020. Employees revealed they make more mistakes when they are stressed (52%), tired (43%), distracted (41%) and working quickly (36%).
It is worrying, then, that 61% of respondents said their company has a culture of presenteeism that makes them work longer hours than they need to, while 46% of employees have experienced burnout.
Businesses should also be mindful of how the global pandemic, and the move to working from home, have impacted employees’ wellbeing and how that relates to security.
Jeff Hancock, a professor at Stanford University and expert in social dynamics, contributed to the report and said, “Understanding how stress impacts behavior is critical to improving cybersecurity.
The events of 2020 have meant that people have had to deal with incredibly stressful situations and a lot of change. And when people are stressed, they tend to make mistakes or decisions they later regret.
Sadly, hackers prey on this vulnerability. Businesses, therefore, need to educate employees on the ways a hacker might take advantage of their stress during these times, as well as the security incidents that can be caused by human error.”
Why age matters
The report also shows that age, gender and industry play a role in people’s cybersecurity behaviors, revealing that a one-size-fits-all approach to cybersecurity training and awareness won’t work in preventing incidents of human error. Findings include:
- Half of employees aged 18-30 say they have made mistakes that compromised their company’s cybersecurity, compared with 10% of workers over 51 who say the same.
- 65% of 18-30 year-olds say they have sent an email to the wrong person, compared with 34% of those over 51.
- 70% of employees who admitted to clicking a phishing email are aged between 18-40 years old. In comparison, just 8% of those over 51 said they had done the same.
- Workers in the Technology industry were the most likely to click on links in phishing emails, with 47% of respondents in this sector admitting they had done so. This was closely followed by employees in Banking and Finance (45%).
Tim Sadler, CEO of Tessian said, “Cybersecurity training needs to reflect the fact that different generations have grown up with technology in different ways. It is also unrealistic to expect every employee to spot a scam or make the right cybersecurity decision 100% of the time.
“To prevent simple mistakes from turning into serious security incidents, businesses must prioritize cybersecurity at the human layer. This requires understanding individual employees’ behaviors and using that insight to tailor training and policies to make safe cybersecurity practices truly resonate.”
48% of employees are less likely to follow safe data practices when working from home, a report from Tessian reveals.
The global shift to remote working poses new security challenges for businesses and traditional security solutions are failing to curb the problem of the insider threat and accidental data loss.
Remote work compounds insider threats
While 91% of IT leaders trust their staff to follow best security practices when working remotely, 52% of employees believe they can get away with riskier behavior when working from home. 48% cite “not being watched by IT” as a reason for not following safe data practices, closely followed by “being distracted” (47%).
Additionally, staff report that security policies are a hindrance — 51% say such policies impede productivity and 54% will find workarounds if security policies stop them from doing their jobs.
Eighty-four percent of IT leaders also say data loss prevention is more challenging when employees are working from home and 58% of employees think information is less secure when working remotely.
Abandoning security when working remotely: Data loss is pervasive
30% of breaches involve internal actors exposing company information, as a result of negligent or malicious acts. Insider threats and data loss over email is particularly challenging for IT leaders to control, due to lack of visibility of the threat. Key findings reveal:
- U.S. employees are more than twice as likely as UK workers to send emails to the wrong person (72% vs. 31%).
- IT leaders in US organizations with over 1,000 employees estimate that 480 emails are sent to the wrong person every year. Yet, Tessian platform data reveals that employees send at least 800 misdirected emails per year —1.6x more than IT leaders estimate.
- U.S. employees are twice as likely to send company data to their personal email accounts than their UK counterparts (82% vs. 35%).
- IT leaders in US organizations with over 1,000 employees estimate that just 720 emails are sent to unauthorized accounts a year. The reality, per Tessian platform data, is at least 27,500 unauthorized emails are sent a year — 38x more than IT leaders estimate.
- One-third (34%) of employees take company documents with them when they leave a job, with U.S. workers twice as likely as UK workers to do so (45% vs. 23%).
IT leaders rely on security awareness training, policies and legacy technologies to prevent data loss, yet these practices may not be as effective as they think. The report finds that employees who receive security training every 1-3 months are almost twice as likely to send company data to personal accounts as those who receive training once a year (80% vs. 49%).
“Businesses have adapted quickly to the abrupt shift to remote working. The challenge they now face is protecting data from risky employee behaviors as working from home becomes the norm,” said Tim Sadler, CEO at Tessian.
“Human error is the biggest threat to companies’ data security, and IT teams lack true visibility of the threat. Business leaders need to address security cultures and adopt advanced solutions to prevent employees from making the costly mistakes that result in data breaches and non-compliance.
“It’s critical these solutions do not impede employees’ productivity though. We’ve shown that people will find workarounds if security gets in the way of them doing their jobs, so data loss prevention needs to be flexible if it’s going to be effective.”
Differences by age and company size
In addition to differences in safe security practices by region, there are also notable contrasts among age groups and startups vs. large enterprises. For example:
- 50% of workers from small companies (2-49 employees) agree they’re less likely to follow safe data practices when working from home, compared to only 30% from companies with 1,000 employees or more.
- Workers in the 18-30 age demographic are 3x more likely to send emails to the wrong person — 69% vs. 21% of workers who are 51 or older. And while 31-40 year olds are more careful on email, 57% admit to sending misdirected emails.
- 41% of workers aged 18-30 have taken company documents with them when they’ve left a job, compared to only 13% of workers aged 51 and older.
British low-cost airline group EasyJet has revealed on Tuesday that it “has been the target of an attack from a highly sophisticated source” and that it has suffered a data breach.
The result? Email address and travel details of approximately 9 million customers and credit card details (including CVV numbers) of 2,208 customers were accessed.
How did the attackers manage to breach EasyJet?
EasyJet did not share in their official notice about the incident when it happened, but told the BBC that they became aware of it in January and that the customers whose credit card details were stolen were notified in early April.
They also did not say how the attackers got in, only that it seems that they were after “company intellectual property.” Grabbing customer info might have been an afterthought or a secondary goal, then.
Richard Cassidy, senior director security strategy at Exabeam, says that by looking at recent breaches in the aviation industry, the tools, tactics and procedures (TTPs) being used are largely the same ones that have led to significant breaches in other industries.
“Attackers need credentials to access critical data – we can be certain of this – and often it is social engineering techniques that reveal those credentials. They then laterally move through systems and hosts to expand their reach and embed themselves within the infrastructure, providing multiple points of entry and exit. If an attacker can achieve this – as we are seeing here – it is then a case of packaging and exfiltrating critical data,” he added.
“Some airlines are doing it right – implementing state of the art behavioural analytics technologies that learn the normal behaviour of the network and immediately notify the security team when anomalies occur. Many, however, still need to understand that there is a better way to manage security, risk and compliance requirements and it most certainly is not ‘what we’ve always done’. In an industry that has defined ‘automation’ and ‘process efficiencies’, applying the same to Information Security would quite literally revolutionise their ability to detect, respond and mitigate against the largely traditional raft of attack TTP’s we’ve seen targeted at aviation this past decade.”
Professor Alan Woodward of the University of Surrey noted that the stolen credit card information might have been the result of a Magecart attack:
— Alan Woodward (@ProfWoodward) May 19, 2020
It would not be the first time for an airline to be targeted by Magecart attackers – British Airways was hit in 2018.
Advice for affected customers
“There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO [the UK’s data protection watchdog], we are communicating with the approximately 9 million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing,” said EasyJet Chief Executive Officer Johan Lundgren.
“We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications. We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays.
Unsolicited communications may take the form of fake invoices, refund offers, requests for additional data, and so on.
“Always check the sender name and email address match up and if you’re being asked to carry out an urgent action, verify the legitimacy of the request by contacting EasyJet directly using details on their website,” advised Tim Sadler, CEO, Tessian.
“Cybercriminals have not missed a trick to capitalize on the COVID-19 crisis, and we’ve seen a huge increase in the number of cyber attacks and scams during this time. The travel industry especially has been severely impacted by COVID-19, and there’s no telling how much more damaging this cyber breach will be to EasyJet’s future. Moving forward, organisations should prioritise security protocols, implement sophisticated protection software, and ensure all employees are aware of security best practices, and carrying them out at all times.”
The UK National Cyber Security Centre (NCSC) has advised affected customers to:
- Be vigilant against any unusual activity in their bank accounts or suspicious phone calls and emails asking them for further information
- Change their password on their EasyJet accounts (and other accounts that have the same password)
- Check if their account has appeared in any other public data breaches, and to
- Depending on their nature, report any fraud attempts to the police, the NCSC, and their bank’s fraud department.
If the number of women working in cybersecurity in the United States equalled that of men, the economic footprint of the U.S. cybersecurity industry would increase by $30.4 billion, according to Tessian.
Furthermore, an additional $12.7 billion would be added to the economy if women’s salaries were equal to their male colleagues, a pay gap that currently represents a 17% difference.
The firm surveyed 200 female cybersecurity professionals in both the U.S. and UK and interviewed more than one dozen practitioners from some of the world’s largest organizations about their personal experiences. The report highlights the potential impact of expanding gender diversity in cybersecurity as well as current perceptions around gender bias in the field.
- 82% of female cybersecurity professionals in the U.S. believe that cybersecurity has a gender bias problem, compared with 49% of those in the UK.
- The cybersecurity gender pay gap in the U.S. is 17%. In the UK, it’s 19%.
- U.S. respondents are three times as likely (68%) to believe that a more gender-balanced workforce would be an effective tool for recruiting more women to work in cybersecurity than UK respondents (22%).
- 45% of U.S. respondents say equal pay would help with recruitment, compared with just 10% of UK respondents.
- 61% of U.S. respondents cite lack of qualified talent as a reason why 4 million cybersecurity jobs will be left unfulfilled by 2021, while only 33% of UK women cite lack of qualified talent as a barrier.
Factors discouraging women from joining the cybersecurity industry
- 42% of respondents (U.S. and UK) believe a cybersecurity skills gap exists because the industry isn’t considered ‘cool’ or ‘exciting’. This opinion was most commonly shared by millennials (46%) compared with 22% of 45-54-year-olds.
- A lack of awareness or knowledge of the industry was the top challenge female professionals faced at the start of their career, with 43% citing this as a barrier.
- 43% of women said that a lack of clear career development paths was another challenge at the start of their cybersecurity career, while nearly a quarter (23%) cited a lack of role models.
- Just 53% say their organization is doing enough to recruit women into security roles.
Perspectives from women in the industry
Sabrina Castiglione, senior executive at Tessian said, “For organizations to successfully recruit more women into security roles, they need to understand what’s discouraging them from signing up beyond just gender bias. We need to make women in cybersecurity more visible.
“We need to tell their stories and raise awareness of their roles and experiences. And once through the door, managers need to clearly show women the opportunities available to them to progress and develop their careers.”
Shamla Naidoo, former CISO at IBM, said, “To many people, cybersecurity equates to – and is limited to – someone in a hoodie bent over a keyboard in a dark room. That’s not the case at all. If we don’t expand beyond that, we’ll lose out on even more people in the industry.”
Castiglione added, “The future of cybersecurity needs diversity. 2019 was the worst year on record for data breaches, with 61% of organizations reporting a breach as a result of human error or malicious activity.
“With data breaches rising year on year, and with cyber threats continually evolving, we need different ideas and approaches to solving security problems if we are going to keep people and data safe.”