One in four employees who made cybersecurity mistakes lost their jobs, says new data

March 29, 2022
The second edition of Tessian’s ‘Psychology of Human Error’ report reveals that people are falling for more advanced phishing scams – and the business stakes for mistakes are much higher

SAN FRANCISCO - March 29, 2022 – Email security company Tessian reveals that one in four employees lost their job in the last 12 months, after making a mistake that compromised their company’s security. The new report, which explores why people make errors at work, also found that:

  • Just over one in four respondents (26%) fell for a phishing email at work, in the last 12 months
  • Two-fifths (40%) of employees sent an email to the wrong person, with almost one-third (29%) saying their business lost a client or customer because of the error
  • Over one-third (36%) of employees have made a mistake at work that compromised security and fewer are reporting their mistakes to IT

When asked why these mistakes happened, half of the employees said they had sent emails to the wrong person because they were under pressure to send the email quickly - up from 34% reported by Tessian in its 2020 study - while over two-fifths of respondents cited distraction and fatigue as reasons for falling for phishing attacks. More employees attributed their mistakes to fatigue and distraction in the past year, versus figures reported in 2020, likely brought on by the shift to hybrid working.

Tessian Psychology of Human Error Report 2022

“With the shift to hybrid work, people are contending with more distractions, frequent changes to working environments, and the very real issue of Zoom fatigue - something they didn’t face two years ago,” said Jeff Hancock, a professor at Stanford University who contributed to the report. “When distracted and fatigued, people’s cognitive loads become overwhelmed and that’s when mistakes happen. Businesses need to understand how factors like stress can impact people’s cybersecurity behaviors and take steps to support employees so that they can work productively and securely.”

People are falling for more advanced phishing attacks

While the number of employees who fell for phishing attacks only increased by 1% in the last 12 months, people were far more likely to fall for more advanced phishing attacks than they were in 2020.

Over half of employees (52%) said they fell for a phishing email because the attacker impersonated a senior executive at the company - up from 41% reported in 2020. In comparison, click-through rates on phishing emails whereby threat actors impersonated well-known brands dropped. These findings mirror those reported by the FBI, which found that business email compromise attacks (BEC) are eight times more common than ransomware and the losses from these attacks continue to grow year on year.

People were also susceptible to phishing attacks over SMS (smishing), with one-third of respondents being duped by a smishing request in the last 12 months, compared to 26% of those who fell for phishing scams over email. Older employees were more susceptible to smishing attacks; one-third of respondents aged over 55 complied with requests in smishing scam versus 24% of 18-to 24-year-olds.

The consequences of accidental data loss are more severe

On average, a US employee sends four emails to the wrong person every month - and organizations are taking tougher action in response to these mistakes that compromise data. Nearly a third of employees (29%) said their business lost a client or customer after sending an email to the wrong person - up from the 20% in 2020. One in four respondents (21%) also lost their job because of the mistake, versus 12% in July 2020.

Over one-third (35%) of respondents had to report the accidental data loss incidents to their customers, breaking the trust they had built. Businesses also had to report the incidents to regulators. In fact, the number of breaches reported to the Information Commissioner’s Office, caused by data being sent to the wrong person via email, was 32% higher in the first nine months of 2021 than in the same period in 2020.

Employees are fearful of reporting mistakes

With harsher consequences in place, Tessian found that fewer employees are reporting their mistakes to IT. Almost one in four (21%) said they didn’t report security incidents, versus 16% in 2020, resulting in security teams having less visibility of threats in the organization.

Josh Yavor, CISO at Tessian, said, “We know that the majority of security incidents begin with people’s mistakes. For IT and security teams to be successful, they need visibility into the human layer of an organization, so they can understand why mistakes are happening and proactively put measures in place to prevent them from turning into serious security incidents. This requires earning the trust of employees; and bullying employees into compliance won’t work. Security leaders need to create a culture that builds trust and confidence among employees and improves security behaviors, by providing people with the support and information they need to make safe decisions at work.”

To read the full report, click here: https://bit.ly/3wAm770.

About the Research

In January 2022, Tessian commissioned OnePoll to survey 2,000 working professionals: 1,000 in the US and 1,000 in the UK. Survey respondents varied in age from 18-51+, occupied various roles across departments and industries, and worked within organizations ranging in size from 2-1,000+.

About Tessian

Tessian's mission is to secure the human layer by empowering people to do their best work, without security getting in their way. Using machine learning technology, Tessian automatically predicts and eliminates advanced threats on email caused by human error - like data exfiltration, accidental data loss, business email compromise and phishing attacks - with minimal disruption to employees' workflow. Founded in 2013, Tessian is backed by renowned investors like Sequoia, Accel, March Capital and Balderton Capital, and has offices in San Francisco, Boston and London.