June 13, 2019
People are too quick to click on emails
Modern working culture makes it impossible for employees to always make the right decision about what to do with emails, claims a new report from cybersecurity company Tessian and the University of Central Lancashire. The report Why Do People Make Mistakes? presents findings from a new survey of 1,000 UK employees, who were asked about their working environment and practices. Additionally, the report includes insights from cyber-psychologists Dr Helen Jones, University of Central Lancashire and Professor John Towse, Lancaster University, which further explains how certain factors in the workplace can cause people to make poor decisions.
The research suggests that workloads, office distractions, fatigue and stress affect a person’s cognitive capacity, potentially impairing their ability to identify signs of a potential cyber threat – such as a phishing scam or sending an email to the wrong address. This, the report argues, puts businesses’ data and systems at risk given that 52 percent of UK employees say they’ve accidentally sent a work email to the wrong person.
The factors that affect people’s ability to make the right cybersecurity decisions at work are listed below.
Under pressure, we are more likely to rely on impulsive, low-effort behavioural responses
Over half of UK employees (58 percent) say there is an expectation within their organisation to respond to emails quickly. Dependency on mobile phones isn’t helping the situation; nearly six in ten (59 percent) respondents say they use their mobile phones to send work emails out of office hours, with nearly a third doing so at least 2-3 times a week. Two in five respondents (39 percent) admit they respond to emails much more quickly on their phones.
Dr Helen Jones said, “Studies have repeatedly shown that time pressures significantly impact decision accuracy. Under pressure, we are more likely to rely on impulsive, low-effort behavioural responses and dedicate less attention to the situation in front of us. What’s more, an increased pressure upon employees to be constantly connected on-the-go means there is a higher likelihood of distraction and, therefore, mistakes.”
Tiredness and stress
The majority of UK employees (92 percent) feel tired at work, with people feeling most tired on Wednesday afternoons. In addition, 91 percent say they feel stressed at work, with people feeling stressed, on average, half of the working week (2.4 days). Worryingly, over three quarters of respondents (76 percent) say they make more mistakes when they are tired, while 71 percent say they make more mistakes when stressed.
“Tired and stressed employees pose a real risk to email security,” explains Jones. “When we are tired and stressed, we are less likely to question the legitimacy of messages and miss the cues that signal a threat. We are also much more impulsive when we are tired, making it harder to resist the urge to respond to a tempting or persuasive request in a phishing email.”
More than two in five UK employees (44 percent) describe their current workload as either ‘overwhelming’ or ‘heavy’. On top of a never-ending to-do list, employees are faced with many distractions, including:
- Office noise (37 percent)
- Colleagues ‘dropping by’ (34 percent)
- Email notifications (30 percent)
- Meetings (26 percent)
- Notifications on their personal phones (20 percent)
When juggling multiple tasks at once, employees will likely rely more on habitual behaviours rather than engaging in analytical thinking. This makes businesses more vulnerable to threats over email given that a person’s ability to focus is impaired.
Trickery and trust
Hackers are becoming smarter in their approaches to phishing, often impersonating well-known brands or senior executives within an organisation. One in 10 respondents admitted to clicking on a phishing email at work. This figure was much higher in the financial services industry where nearly one in three (29 percent) respondents in this sector admitted to clicking on a phishing email.