The actions that employees take have consequences for their employers. While most employees are trying their hardest to get the job done well and help the company thrive, they don’t always manage to do it without a few security hiccups like losing a password or forwarding the wrong email. Employees are human, and as long as human beings are part of a process, there’s always a chance for error. Unfortunately, the errors that employees make when handling email have potentially devastating consequences for their organizations.
Learn the secret to ransomware defense in Cracking the RANSOMWARE Code. GET BOOK>>
Employees May Make Mistakes Due to These 3 Factors
That’s why the leading cause of cybersecurity incidents isn’t cyberattacks, sabotage or hackers. It is (and probably always will be) human error, the culprit in an estimated 90% of security breaches according to IBM’s X-Force Threat Intelligence Index. These three drivers are the primary causes of employee errors when handling email.
Just like any other business, cybercriminal gangs are always looking for ways to maximize efficiency, and phishing fits the bill. It’s the cheapest, easiest and most effective way to penetrate a company’s security. Of course, it’s also something that evolves just like any other business process, with changing techniques, increasing sophistication and new traps making it hard for companies to keep up. It’s also hard for everyone else to keep up – 97% of employees are unable to spot a sophisticated phishing email.
Employees encounter phishing threats every day, making phishing one of the biggest risks for an employee mistake. This is not good news for businesses, because phishing messages are also the carriers of some of today’s most devastating cyberattacks. Clicking on a phishing email is the most likely way that an employee will cause a security breach. In a Stanford University study, researchers determined:
- One in four employees (25%) said they have clicked on a phishing email at work
- Nearly 45% of respondents cited distraction as the top reason for falling for a phishing scam
- Around 50% of employees are sure that they have made an error that led to a security incident
AI is the secret weapon you’re looking for to boost business email security. SEE WHY>>
These are the most common mistakes that employees make when handling email that could unleash a cybersecurity disaster on their employers.
Opening the Wrong Message
Phishing is still the most likely way for cybercriminals to penetrate security at organizations. It actually became more prominent in 2021, with just over 40% of intrusions facilitated through phishing. Risk varies because of myriad factors like current events, time of year, public need, production pressure and profitability of their data. But the bad guys never stop trying to get a hook to land. An estimated 74% of respondents in a business survey admitted that their companies had been successfully phished in the last year.
Scams are everywhere, and it’s far too easy for an employee to be taken in by scammers. One-fifth of employees admit to falling for phishing tricks that caused them to interact with malicious messages. The bad guys are always ready to pounce when a new opportunity presents itself thanks to tumultuous world events like the global pandemic or conflict in Ukraine. While it may not seem like something that businesses would have to be concerned with, sophisticated email scams can be devastating. Today’s sophisticated, carefully socially engineered email threats can be incredibly enticing to employees, opening the door for ransomware, business email compromise, account takeover and other dangerous consequences.
Interacting with a Malicious Attachment
The bane of IT teams, employees are regularly faced with convincing phishing schemes that utilize attachments. Primarily, bad actors mimic familiar Microsoft 365 attachments, but GSuite fraud is growing, especially comments phishing). An estimated 48% of malicious email attachments are disguised as a harmless, routine file, and those attachments can be anything from a termination notice to a list of charitable resources. The goal is to frighten employees into opening them, and it’s generally not that hard for bad actors to do. Microsoft Office formats like Word, PowerPoint and Excel are popular file extensions for cybercriminals to use when transmitting malware via email, accounting for 38% of phishing attacks. The next most popular delivery method: archived files such as .zip and .jar, which account for about 37% of malicious transmissions.
Clicking on a Dodgy Link
Click-happy employees are a huge security risk. CyberNews reports that 1 in 3 employees are likely to click the links in phishing emails, and 1 in 8 employees are likely to share information requested in a phishing email. In a phishing simulation, users in North America struggled the most, posting a 25.5% click rate and an 18% overall credential submission rate. This means that a little over 7 out of every 10 clickers willingly compromised their logins. Users in Europe exhibited lower click and submission rates of 17% and 11%, respectively.
Employees spend a great deal of time on the web these days in the course of doing business. Cloud-hosted everything became the norm as everyone went remote during the global pandemic. But security awareness training didn’t keep pace, leaving a healthy number of employees likely to make bad decisions about logging in at sketchy websites. 67% of the employees tested in a phishing simulation who clicked through to the dummy malicious website submitted their login credentials, up from a scant 2% in 2019.
The road to security success begins with 5 Steps to Ransomware Readiness! GET IT>>
Negligence Due to Ignorance or Fear
A Toxic Security Culture is Devastating
The kind of negligence that helps mistakes flourish can arise from a company having a bad security culture. Security is everyone’s job, but not everyone understands that. 45% of respondents in a HIPAA Journal survey said that they don’t need to worry about cybersecurity safeguards because they don’t work in the IT department. That’s a disaster waiting to happen. That ignorance can be compounded by leadership attitudes toward security. In a CNBC survey, 56% of SMB owners said they are “not very concerned” about being the victim of a cyberattack in the next 12 months, and 24% said they were “not concerned at all.”
Overcoming these hurdles to ensure that security policies have executive buy-in and that employees are security-savvy will positively impact a company’s security culture, laying a strong foundation for defensive success. No company benefits when employees are kept in the dark about security or made to think of it as a big, complicated, dangerous bugbear. Besides, every tech team would rather learn about a security incident when it’s just a little difficulty, not when it has snowballed into a giant disaster. But far too often, employees behave dangerously because they’re afraid of asking for help or clarification, and that’s no help to anyone.
- Just under 30% of employees fail to report cybersecurity mistakes out of fear.
- More than 40% of employees don’t report potential phishing out of fear of getting in trouble
- About 45% of employees click emails they consider to be suspicious “just in case it’s important.”
Remember, employees are more likely to make an error if…
- They don’t know what threats look like
- They’re experiencing undue stress, distraction or time constraints
- They don’t feel confident judging a threat
- They’re afraid of technology
- They don’t know who to ask for help
- They fear job loss or demotion if they make a mistake
- They think they’ll be laughed at for asking for help
- They fear punishment like remedial training
- They don’t know how to report a problem
- They have little to no security awareness training
- They don’t have the right tools to stop an incident
- They don’t believe that security is important
An estimated 34% of business IT leaders in an employee behavior survey admitted that a simple lack of employee understanding of today’s sophisticated phishing threats was their biggest security problem. Ensure that your company’s security culture isn’t doing more harm than good to reduce the chance that employees will make mistakes when handling email, and you’ll strengthen security now and in the future.
Learn The Truth About Ransomware & tricks for defending against it from experts! WATCH WEBINAR>>
Stop phishing immediately with Graphus – the most simple, automated and affordable phishing defense available today.
The best way to prevent employee mistakes when handling email from damaging your company is to eliminate employees from the equation. Graphus doesn’t make mistakes. Choose AI-powered, automated email security to quickly and efficiently protect your company from some of today’s nastiest phishing-related cyberattacks without breaking the bank.
- Forget old-fashioned safe sender lists. Graphus analyzes the content of messages using more than 50 points of comparison to suss out fakes fast.
- Plus, automated security is up to 40% more effective at spotting and stopping malicious messages like phishing emails than a SEG or conventional security.
- And, you won’t waste any time on fussy configuration or adding threat reports. AI does that for you, getting everything up and running with just a few clicks and minimal maintenance.
- Click here to watch a video demo of Graphus now.