One in four employees that made a mistake resulting in compromising their company's cybersecurity posture lost their job last year, according to a new report from Tessian. The results showed that even the smallest errors are dangerous for an enterprise’s security as well as the job security of its workers. 

The report found that U.S. employees sent four emails to the wrong person each month. In the first nine months of 2021, the number of breaches reported to the United Kingdom’s Information Commissioner’s Office caused by data being sent to the wrong person through email increased 32% compared to the same period in 2020. 

Tessian found that of the employees who reported sending an email to the wrong person, nearly one-third of them indicated their business lost a client or customer because of the error. Half of those who reported making these mistakes said they did so because they felt pressure to send an email quickly.

Older employees were more likely to fall for scams, the Tessian report found. It noted that one-third of respondents over the age of 55 fell for phishing attacks over SMS – or smishing – in contrast to 24% of 18-to 24-year-olds.

Despite the number of employees who fell for phishing attacks only increasing by 1% in the last year, workers were still more likely to fall for more advanced phishing attacks than they were in 2020. Tessian also noted successful smishing attacks outnumbered scam attempts through email.

In addition, half of employees who fell victim to phishing emails said they responded because the attacker impersonated a senior executive at the company. By contrast, Tessian found the success rate of email scams impersonating well-known brands dropped – echoing the FBI’s recent report that business email compromise/email account compromise (BEC/EAC) was the top crime of the year. 

As a response to the increase in security incidents, businesses are taking tougher action on employees all the way up the chain of command. 

“We have seen some very high profile CISOs find themselves in hot water as of late,” said Ron Layton, VP of cyber fusion and asset protection at Sallie Mae Bank, during a recent panel discussion. “There are a number of notable cases that if you do a little research, you can find out that individuals have been held to account for these kinds of things.”

Although, stricter consequences for security breaches might be having an adverse effect on overall transparency within organizations. Tessian’s report found that 21% of employees are not reporting their mistakes, compared to 16% in 2020. 

The shift to hybrid and remote work is another factor. In a separate report, security vendor Code42 found that 55% of companies said their biggest concern following the pandemic is employees becoming lax in their cybersecurity practice.

“We know that the majority of security incidents begin with people’s mistakes. For IT and security teams to be successful, they need visibility into the human layer of an organization so they can understand why mistakes are happening and proactively put measures in place to prevent them from turning into serious security incidents,” Tessian CISO Josh Yavor said in his firm’s report.

Tessian’s report added that compared to 2020, more employees chalked their mistakes up to fatigue and distraction in the last year.

“When distracted and fatigued, people’s cognitive loads become overwhelmed and that’s when mistakes happen,” said Jeff Hancock, a professor at Stanford University and contributor to the Tessian report. “Businesses need to understand how factors like stress can impact people’s cybersecurity behaviors and take steps to support employees so that they can work productively and securely.”