We often hear that humans are the weakest link when it comes to security. Headlines reporting that 88% of data breaches are caused by human error serve as a constant reminder that businesses are at the mercy of their employees’ mistakes.
Earlier this year, for example, an administrative error by the UK government resulted in the personal contact details of Windrush migrants being shared in an email about the scheme. A London HIV clinic, too, accidentally leaked data on 781 patients after not ‘bcc-ing’ recipients, resulting in a £180,000 fine.
Mistakes are inevitable, and can have devastating consequences. All it takes is for one click on a phishing scam or for one person to accidentally send data to the wrong person to ruin a company’s reputation. Is it entirely fair to put all the blame on employees? Are we, in fact, placing too much pressure on people to act, and act perfectly, 100% of the time when it comes to cybersecurity?
Information overload
Generally speaking, a mistake is a decision or action with unintentional or unwanted results. They happen because people cannot make objective decisions the same way a technical system can. Because of this, people sometimes make decisions that are suboptimal, and this can lead to risky cybersecurity behavior, particularly on email.
Consider this - we spend up to a third of our working week on email, sending and receiving up to 124 emails every day. Every time a message is sent and received, you have to make a decision - did I check that I entered the right email address? Should I respond to this request? Add all those decisions on top of the hundreds of other decisions people have to make every day, it’s little wonder that sometimes those decisions result in mistakes.
When we are faced with a situation that requires us to make a decision, there are two psychological systems for generating behavioral responses: ‘System 1’ is the impulsive, quick response and ‘System 2’ which is the more analytical response, whereby the individual assesses necessary information to make a rational decision. The deployment of systems depends on the nature of the individual and the nature of a specific situation.
Focusing on the ‘why’
Factors in our working lives have a significant impact on our ability to make optimal cybersecurity decisions. Tiredness, stress, demanding workloads, office distractions and ‘quick-to-click’ cultures can mean that people rely on automatic, habitual responses, instead of more effortful thinking styles which allows for evaluation of available information to make an informed decision - thus resulting in risky cybersecurity behavior.
In a recent report, we found that the majority of UK employees are tired and stressed during the working week, with Wednesday afternoon being the time when they are most tired. The problem is that fatigue and stress make us more error-prone; nearly three-quarters of UK employees say they make more mistakes at work when they are tired, meaning we are more likely to click on something we shouldn’t.
Simply put, when we are tired and stressed, we are less likely to question the legitimacy of messages and miss the cues that signal a threat - such as a phishing email - due to the fact that we have less cognitive capacity available to dedicate to evaluating new information. As such, cues present in a cyber threat may be overlooked in favor of a less cognitively effortful response.
In addition to feeling tired and stressed, UK employees are also under pressure to get through their ‘overwhelming’ workloads quickly. The majority of UK employees said there is an expectation within their organization to respond to emails quickly, while two in five (39%) say they respond to emails much more quickly on their phones.
The problem here is that time pressures have a significant impact on decision accuracy. Academics Dr Helen Jones (University of Central Lancashire) and Professor John Towse (Lancaster University) conducted a study whereby two groups of people were asked to identify phishing emails from legitimate ones.
One group were told they had five minutes, the other had as much as they needed. The results showed that participants under time pressure made fewer correct decisions. Those with no time pressures may have been more likely to employ rational decision-making mechanisms - to think to themselves, “does this email seem right?”
Given that 94% of malware is now delivered by email and 96% of social attacks occur via this channel, the need for employees to be able to spot anomalies that signal a potential cyber threat has never been more important. However, we question whether people have the time, cognitive capacity or even access to the right information to do this in today’s work environments.
Preventing the inevitable
With so much at stake, businesses need to consider how best to limit the number of mistakes their employees make and find ways to encourage people to think before they click on email, especially at times when security is the last thing on their minds - i.e. Wednesday afternoon.
For the first time, we can use Machine Learning to do this. By understanding people’s email communications patterns, we can build a picture of what ‘normal’ behavior looks like. Algorithms can, then, automatically detect when something looks unusual and alert the person to the threat - such as they are about to send sensitive information to the wrong person or they are receiving a message from a potentially malicious actor.
Warning people that something looks unusual before they make a mistake means they have access to relevant information to inform their next move. Such real-time alerts reinforce safe email practices, helping to override an employee’s impulsive approach to decision making, and nudging them towards engaging an analytical behavioral response.
We have to remember that not every employee was hired as a security professional; mistakes will happen and to consider staff as a business’ first line of defense will certainly set companies up for a fall. Instead, we need to change the change the narrative around humans being the weakest link and recognize why they make mistakes, in order to better protect them and the data they handle.
We can use technology to help people make the right decision when faced with a potential threat on email and, only then, will businesses be able to protect their data and systems from human error.
This is part of a blog series provided by CyLon, who find, grow and invest in the world’s best emerging cyber businesses, via its tailored acceleration programs in London and Singapore. Since 2015 CyLon has supported more than 80 companies and has a portfolio of international companies valued at more than £400m. Applications are now open for CyLon's next programmes, starting in August (Singapore) and September (London). For more information, and to apply, visit https://cylonlab.com/application/