Fall for Phishing? You Could Get Fired
One in four employees lost their job in the last 12 months after making a mistake that compromised their company’s security, according to a report from email security company Tessian.
While the number of employees who fell for phishing attacks only increased by 1% in the last 12 months, people were far more likely to fall for more advanced phishing attacks than they were in 2020.
The study found more half of employees (52%) said they fell for a phishing email because the attacker impersonated a senior executive at their company, up from 41% reported in 2020.
People were also susceptible to phishing attacks over SMS (smishing), with one-third of respondents being duped by a smishing request in the last 12 months.
Phishing is an issue that grows every quarter for both consumers and enterprise users, with attackers primarily targeting individuals through mobile channels because of the number of ways they can get to an individual.
SMS, iMessage, email, social media, third-party messaging apps, gaming and even dating apps all have messaging functionality that attackers use to socially engineer targets within the context of the app they’re using.
Josh Yavor, CISO at Tessian, said cybersecurity is rarely top-of-mind for employees who already have overwhelming to-do lists and tight deadlines to meet.
“Therefore, consider how technology can automatically prompt people to think about threats and nudge them toward safe security decisions,” he said. “This type of real-time intervention puts security at the forefront for employees and remediates threats caused by human error.”
The Impact of Stress on Human Error
Yavor added that business and IT leaders need to consider how stress impacts cybersecurity behaviors, particularly when employees work in a remote or hybrid way.
Tessian’s report revealed, for example, that half of the respondents sent emails to the wrong person because they were under pressure to send the email quickly (a 47% increase from 2020), which was closely followed by distraction and fatigue.
“Encourage employees to take regular breaks between virtual meetings or introduce no-video meeting days to help prevent cognitive overload caused by Zoom fatigue,” he said.
Rich Quattrocchi, vice president of digital transformation at Mutare, said the problem is further exacerbated by the sheer number of collaboration applications in use for both internal and external communication.
“Your company may use Cisco WebEx internally for video conferencing and have it completely locked down, but once you need to make or receive an external call from a different application that’s not company-sanctioned, the threat surface widens,” he said.
Quattrocchi said companies should also include vishing in their security penetration testing, automated technical security controls and in their security awareness training to find and plug vulnerabilities before loss events happen.
“Threat capability, probability of action and contact frequency are constantly evolving,” he added. “It is a game of whack-a-mole. As soon a scam or vulnerability is discovered and revealed or patched, a new threat arrives.”
Harsher Consequences, Decreased Reporting
With harsher consequences—like being fired—in place, the survey found that fewer employees are reporting their mistakes to IT. Almost one in four (21%) said they didn’t report security incidents versus 16% in 2020, resulting in security teams having less visibility into threats to the organization.
Yavor said another important part of building a stronger security culture requires businesses to move away from scaremongering and fear tactics when delivering security awareness training.
“Employees are far more likely to admit their mistakes or ask questions if they’re part of a shame-free, transparent environment,” he explained. “Rather than scaring employees into compliance, create a positive security experience that encourages employees to engage with security, helping cement a partnership mindset between security teams and staff.”
Hank Schless, senior manager of security solutions at Lookout, an endpoint-to-cloud security company, said the changes in how we work have expanded the risk landscape for every organization, as employees use a mix of personal or unmanaged devices and networks to access sensitive data.
“Without the right solutions in place, organizations are leaving their employees exposed to advanced threats that take advantage of the lack of protection employees have on personal devices and networks,” he said. “Context-based data access is the best way for organizations to institute zero-trust in the hybrid work environment.”
Understanding clues such as location, device type and user risk posture can be crucial when trying to identify compromised accounts being leveraged by threat actors.
Schless said security awareness training is something that businesses have been carrying out for years, but added that it needs to be modernized to help employees understand the risks in today’s cloud-first world.
“Being able to access data from any device or location is incredibly convenient and boosts productivity, but also introduces increased risk of data loss,” he said. “Employees are constantly sharing data and might not even know when they do so in a way that violates internal or external data compliance standards.”
From his perspective, making your employees aware of what qualifies as sensitive data, what the risks are of accessing that data from personal devices and the tactics that attackers use to get their hands on it is a critical first handful of steps to take.
“Businesses themselves also have to recognize that employees are going to make mistakes, regardless of how much training they do, so it’s critical to modernize data security practices as well,” he said.
