The top cause of cybersecurity incidents isn’t malicious employee actions, sabotage or hacking. It’s an employee error. Human error is responsible for an estimated 90% of security breaches according to IBM’s X-Force Threat Intelligence Index. The reigning champion of security risks is something that every IT team grapples with daily. While it is impossible to eliminate the chance that employees will make mistakes, it is possible to mitigate the risk of a cybersecurity disaster due to an employee error.
These are the most common mistakes that employees make and a look at why they make them.
- Opening a phishing email. Phishing risk varies by industry. Many factors can impact the calculus for exactly how likely an employee is to fall prey to a phishing attack. Throughout the last few years, we’ve seen how cyberattack risk shifts in industries based on factors like public need, production pressure, and profitability of their data. An estimated 74% of respondents in a business survey admitted that their companies had been successfully phished in the last year.
- Downloading a dodgy attachment. An estimated 94% of malware is still delivered via email. An estimated 48% of malicious email attachments that were sent out in 2020 were Office files. Microsoft Office formats like Word, PowerPoint, and Excel are popular file extensions for cybercriminals to use when transmitting malware via email, accounting for 38% of phishing attacks. The next most popular delivery method: archived files such as .zip and .jar, which account for about 37% of malicious transmissions.
- Sending someone the wrong file. Misdelivery was cited as the number four cause of a data breach in Verizon’s 2021 Data Breach Investigations report, down from number 3 in 2020. It is responsible for around 30% of data breaches. That misdelivery could be from an internal transfer like sending a file to someone in the organization who isn’t authorized to view it or from a misdelivery outside of the organization, like sending sensitive information to the wrong clients in an email distribution list.
- Give another employee their login credentials. Approximately 60% of data breaches involve the improper use of credentials. Unfortunately, employees are notorious for sharing passwords, especially when the course of their work involves routine, time-consuming manager approvals for mundane tasks. An estimated 40% of employees admitted to having shared workplace passwords in a 2021 survey. Worse yet, 43% of employees said that their workplace commonly shares passwords within a large group.
- Writing down a password. More than 40% of organizations rely on sticky notes for password management, creating a slew of password security risks. Employees know that their bad password behaviors are dangerous too, but that doesn’t stop them Over 90% of participants in a password habits survey understood the risk of poor password hygiene, but 59% admitted to still engaging in unsafe password behaviors like using sticky notes for password storage anyway.
- Falling for a scam. Today’s sophisticated, carefully socially engineered email threats can be incredibly enticing to employees, opening the door for ransomware, business email compromise, account takeover, and other dangerous consequences. An estimated 97% of employees cannot identify a sophisticated phishing email, the most common method that bad actors use to scam employees.
- Clicking a malicious link. Click-happy employees are a huge security risk. CyberNews reports that 1 in 3 employees are likely to click the links in phishing emails, and 1 in 8 employees are likely to share information requested in a phishing email. In a phishing simulation, users in North America struggled the most, posting a 25.5% click rate and an 18% overall credential submission rate. This means that a little over 7 out of every 10 clickers willingly compromised their login data. Users in Europe exhibited lower click and submission rates of 17% and 11%, respectively.
- Visiting a dangerous website. Employees spend a great deal of time on the web these days in the course of doing business. Cloud-hosted everything became the norm as everyone went remote during the global pandemic. But security awareness training didn’t keep pace, leaving a healthy number of employees likely to make bad decisions about logging in at sketchy websites. 67% of the employees tested in a phishing simulation who clicked through to the dummy malicious website submitted their login credentials, up from a scant 2% in 2019.
Factors That Increase Employee Error Probability:
At the end of the day, as long as human beings are working in a business, there’s always a chance that an employee will make an error that negatively impacts security. But some circumstances within a business make employees more likely to make an error than others.
Employees are more likely to make an error if:
- They don’t know what threats look like.
- They’re experiencing undue stress, distraction, or time constraints.
- They don’t feel confident judging a threat.
- They’re afraid of technology.
- They don’t know who to ask for help.
- They fear job loss or demotion if they make a mistake.
- They think they’ll be laughed at for asking for help.
- They fear punishment like remedial training.
- They don’t know how to report a problem.
- They have little to no security awareness training.
- They don’t have the right tools to stop an incident.
- They don’t believe that security is important.
Source: Id Agent.