When it comes to data breaches that expose personal information to hackers and compromise a company's critical infrastructure, humans are apparently the weakest link.
About 9 out 10 (88%) data breaches are caused by a mistake made by an employee -- human error -- while just 12% are the result of malicious attacks, according to a study out of the UK.
The research showed that while data breaches are generally associated with the actions of malicious criminals, the reality indicates something quite different.
The most common error was to send sensitive data to the wrong recipient, which was the cause of 37% of reported data breaches, according to the study. Other common errors included the loss or theft of paperwork, forgetting to redact data or storing data in an insecure location, such as a public cloud server.
A 2022 study by cybersecurity firm Tessian revealed that one in four employees lost their job the previous year after making a mistake that compromised their company's security.
"All it takes is one person to accidentally send an email containing sensitive information to the wrong person or an individual to respond to an impersonation scam for data or systems to be compromised," Tessian pointed out.
When asked why these mistakes happened, half of employees told Tessian they sent emails to the wrong person because they were under pressure to send the email quickly. Over half of employees (52%) said they fell for a phishing email because the attacker impersonated a senior executive at the company. Another two-fifths of respondents cited distraction and fatigue as reasons for falling for phishing attacks.
"When distracted and fatigued, people's cognitive loads become overwhelmed and that's when mistakes happen. Businesses need to understand how factors like stress can impact people's cybersecurity behaviors and take steps to support employees so that they can work productively and securely," Jeff Hancock, professor at Stanford University, said in a statement.
With harsher consequences in place, Tessian found that fewer employees are reporting their mistakes to IT. Almost one in four (21%) said they didn't report security incidents, resulting in security teams having less visibility of threats in the organization.
"We know that the majority of security incidents begin with people's mistakes," said Josh Yavor, CISO at Tessian. "Security leaders need to create a culture that builds trust and confidence among employees and improves security behaviors, by providing people with the support and information they need to make safe decisions at work."