The ‘Psychology of Human Error’ report by Tessian aims to help companies better train employees to prevent mistakes from happening before they turn into breaches. 2,000 employees in the US and UK were surveyed, and some of the key findings include:
- 43% of employees have made mistakes at work that compromised cybersecurity
- Younger workers (18-30 yrs) are 5x more likely to make mistakes with security consequences for company
- 57% of employees are more distracted when working from home
- A third of workers rarely or never think about cybersecurity at work
- Tech industry workers are the most likely to click on links in phishing emails, followed closely by employees in Banking and Finance
The report makes an important point that people should not be considered the weakest link in the security chain for companies despite the fact that most known breaches stem from human error. What is lacking in this critical human dimension of cyber is proper training, risk awareness and company policies and processes that help people manage technology better. The risk of getting this wrong was most recently on display with the Twitter hack.
One takeaway from the report is that cyber hygiene mistakes are correlated with high cyber ‘self-confidence’. This seems to be the case as younger workers who are considered digital natives are far more likely to engage in poor cyber hygiene than older workers who are more wary of the risks of making a mistake. This also seems to be the case with tech industry and banking and finance workers. These tech savvy workers should in theory be the most aware of and sensitive to cyber risks but are instead the most likely to click on links in phishing emails. As the report ties this finding to the fast-paced cultures of these sectors, it can be deduced that issues beyond security specifically, like corporate culture and workload expectations, can directly impact cyber performance. A strong approach to cybersecurity requires a more holistic approach beyond having the right technology in place and training people what to do and not do.
Cyberhedge data on company-level cyber performance indicates that the difference between the strongest and weakest firms on cyber governance comes down to the human side of things, such as staff training and security policies and procedures. This report shows that companies need to make cyber training and the development of systems that improve the human management of technology an ongoing priority.
But it also highlights how if the aim is to improve the human management of technology in order to lower the related risks to the company, the training and awareness raising efforts cannot be uniform. Tailored training that is specific to the demonstrated behaviors and attitudes of employees is likely to be more effective than a ‘one size fits all’ approach to cyber hygiene training. A company should not necessarily design training for a 45-year-old mid-career accountant identical to the one targeting a 23-year-old entry-level customer service representative.