Even Concientious Employes Will Make Security Blunders
The top cause of cybersecurity incidents isn’t malicious employee actions, sabotage or hacking. It’s employee error. Human error is responsible for an estimated 90% of security breaches according to IBM’s X-Force Threat Intelligence Index. The reigning champion of security risks is something that every IT team grapples with daily. While it is impossible to eliminate the chance that employees will make mistakes, it is possible to mitigate the risk of a cybersecurity disaster due to an employee error.
Excerpted in part from our NEW eBook The Guide to Reducing Insider Risk. DOWNLOAD IT NOW>>
Start the new year off on the right foot with this checklist of smart cybersecurity practices. GET IT>>
8 Employee Blunders and Why They Happen
These are the most common mistakes that employees make and a look at why they make them.
Opening a phishing email
Phishing risk varies by industry. Many factors can impact the calculus for exactly how likely an employee is to fall prey to a phishing attack. Throughout the last few years, we’ve seen how cyberattack risk shifts in industries based on factors like public need, production pressure and profitability of their data. An estimated 74% of respondents in a business survey admitted that their companies had been successfully phished in the last year.
Downloading a dodgy attachment
Employees are being inundated with shady attachments. An estimated 48% of malicious email attachments that were sent out in 2020 were Office files. Microsoft Office formats like Word, PowerPoint and Excel are popular file extensions for cybercriminals to use when transmitting malware via email, accounting for 38% of phishing attacks. The next most popular delivery method: archived files such as .zip and .jar, which account for about 37% of malicious transmissions.
Sending someone the wrong file
Misdelivery was cited as the number four cause of a data breach in Verizon’s 2021 Data Breach Investigations report, down from number 3 in 2020. It is responsible for around 30% of data breaches. That misdelivery could be from an internal transfer like sending a file to someone in the organization who isn’t authorized to view it or from a misdelivery outside of the organization, like sending sensitive information to the wrong clients in an email distribution list.
Giving another employee their login credentials
Approximately 60% of data breaches involve the improper use of credentials. Unfortunately, employees are notorious for sharing passwords, especially when the course of their work involves routine, time-consuming manager approvals for mundane tasks. An estimated 40% of employees admitted to having shared workplace passwords in a 2021 survey. Worse yet, 43% of employees said that their workplace commonly shares passwords within a large group.
Writing down a password
More than 40% of organizations rely on sticky notes for password management, creating a slew of password security risks. Employees know that their bad password behaviors are dangerous too, but that doesn’t stop them Over 90% of participants in a password habits survey understood the risk of poor password hygiene, but 59% admitted to still engaging in unsafe password behaviors like using sticky notes for password storage anyway.
Falling for a scam
Today’s sophisticated, carefully socially engineered email threats can be incredibly enticing to employees, opening the door for ransomware, business email compromise, account takeover and other dangerous consequences. An estimated 97% of employees cannot identify a sophisticated phishing email, the most common method that bad actors use to scam employees.
Clicking a malicious link
Click-happy employees are a huge security risk. CyberNews reports that 1 in 3 employees are likely to click the links in phishing emails, and 1 in 8 employees are likely to share information requested in a phishing email. In a phishing simulation, users in North America struggled the most, posting a 25.5% click rate and an 18% overall credential submission rate. This means that a little over 7 out of every 10 clickers willingly compromised their login data. Users in Europe exhibited lower click and submission rates of 17% and 11%, respectively.
Visiting a dangerous website
Employees spend a great deal of time on the web these days in the course of doing business. Cloud-hosted everything became the norm as everyone went remote during the global pandemic. But security awareness training didn’t keep pace, leaving a healthy number of employees likely to make bad decisions about logging in at sketchy websites. 67% of the employees tested in a phishing simulation who clicked through to the dummy malicious website submitted their login credentials, up from a scant 2% in 2019.
The Computer Security To-Do Checklist helps keep the bad guys out of businesses and data in! GET IT>>
3 Major Drivers of Employee Error
The Always-On Mentality
In a 2020 survey of worker habits, about 60% of employees noted that they are working in environments where distractions are commonplace. Many of those employees have adopted an always-at-work approach that can lead to email handling errors — 73% of the employees surveyed said that they regularly read and respond to work email outside of their working hours, and almost one-quarter of employees (24%) reported they handle work email while doing other things.
Stress & Distraction
Employees who are dealing with undue stress at work or at home are likely to make cybersecurity mistakes. Over 50% of respondents in a working habits survey admitted that they were more error-prone while stressed. More than 55% of workers in an employee error detection survey admitted that they were frequently off-balance when working from home, leading to security blunders – 40% said they made more mistakes when they were tired or distracted. Altogether 43% of the workers surveyed reported that they had made mistakes resulting in cybersecurity repercussions for themselves or their company while working remotely.
Lack of Training
Less than 60% of companies run regular security awareness training, leaving employees in the dark about risks. Security awareness training neglect also contributes to a weak cybersecurity culture in which employees are more likely to be negligent. But a commitment to a vibrant security culture that prevents things like employee errors has to come from the top down, and many executives don’t help build it. IBM cites simple bravado followed by unfamiliarity with potential risks as a strong driver of failure in top-down security culture – 60% of SMB owners feel that they will not face any kind of cybersecurity incidents.
Can you spot a phishing email? This infographic shows you how to detect one! DOWNLOAD IT>>
Factors That Increase Employee Error Probability
At the end of the day, as long as human beings are working in a business, there’s always a chance that an employee will make an error that negatively impacts security. But some circumstances within a business make employees more likely to make an error than others.
Employees are more likely to make an error if:
- They don’t know what threats look like
- They’re experiencing undue stress, distraction or time constraints
- They don’t feel confident judging a threat
- They’re afraid of technology
- They don’t know who to ask for help
- They fear job loss or demotion if they make a mistake
- They think they’ll be laughed at for asking for help
- They fear punishment like remedial training
- They don’t know how to report a problem
- They have little to no security awareness training
- They don’t have the right tools to stop an incident
- They don’t believe that security is important
Build Better Habits with Security Awareness Training Using BullPhish ID
The bedrock of a strong security culture is security awareness. ID Agent can help you build it. Teach employees to spot and stop security threats and familiarize them with security best practices in the way that’s right for every unique business with BullPhish ID.
- Easily train employees using a vast library of video lessons on subjects like compliance, credential handling, ransomware, industry regulations and more all in one place.
- Choose from hundreds of pre-made phishing simulation kits and video security lessons in 7 languages
- Customize phishing kits and videos to simulate specialized industry threats in a flash
- Automate delivery through a user-friendly personalized delivery portal for each user
- Measure effectiveness with built-in quizzes and simple automated reports
- New phishing kits and security lesson videos are added monthly
Contact our solutions experts today to get started.
See how ransomware really works, who gets paid & what’s next in our tell-all Ransomware Exposed! DOWNLOAD IT>>
Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!
Is your password compromised? Find out in seconds!
Book your demo of Dark Web ID, BullPhish ID and Passly now!