April 4, 2022

One in four employees lost their job in the last 12 months, after making a mistake that compromised their company’s security. The new report, which explores why people make errors at work, also found that:

Just over one in four respondents (26%) fell for a phishing email at work, in the last 12 months

Two-fifths (40%) of employees sent an email to the wrong person, with almost one-third (29%) saying their business lost a client or customer because of the error

Over one-third (36%) of employees have made a mistake at work that compromised security and fewer are reporting their mistakes to IT

When asked why these mistakes happened, half of employees said they had sent emails to the wrong person because they were under pressure to send the email quickly - up from 34% reported by Tessian in its 2020 study - while over two-fifths of respondents cited distraction and fatigue as reasons for falling for phishing attacks. More employees attributed their mistakes to fatigue and distraction in the past year, versus figures reported in 2020, likely brought on by the shift to hybrid working.

“With the shift to hybrid work, people are contending with more distractions, frequent changes to working environments, and the very real issue of Zoom fatigue - something they didn’t face two years ago,” said Jeff Hancock, a professor at Stanford University who contributed to the report. “When distracted and fatigued, people’s cognitive loads become overwhelmed and that’s when mistakes happen. Businesses need to understand how factors like stress can impact people’s cybersecurity behaviors and take steps to support employees so that they can work productively and securely.”

The feeling of exhaustion that comes from a day of back-to-back online meetings – also known as “Zoom fatigue” – is greater for women, according to the researchers’ data. They found that overall, one in seven women – 13.8 percent – compared with one in 20 men – 5.5 percent – reported feeling “very” to “extremely” fatigued after Zoom calls.

These new findings build on a paper the Stanford researchers recently published in the journal Technology, Mind and Behavior that explored why people might feel exhausted following video conference calls. Now, they have the data to show who is feeling the strain. For their follow-up study, the researchers surveyed 10,322 participants in February and March using their “Zoom Exhaustion and Fatigue Scale” to better understand the individual differences of burnout from the extended use of video conferencing technologies during the past year.

These findings add to a growing understanding of how the COVID-19 pandemic is disproportionately affecting certain groups of people, said Jeffrey Hancock, professor of communication in the School of Humanities and Sciences and co-author of the new study released April 13 on the Social Science Research Network.

“We’ve all heard stories about Zoom fatigue and anecdotal evidence that women are affected more, but now we have quantitative data that Zoom fatigue is worse for women, and more importantly, we know why,” Hancock said.

The researchers found that what contributed most to the feeling of exhaustion among women was an increase in what social psychologists describe as “self-focused attention” triggered by the self-view in video conferencing.

“Self-focused attention refers to a heightened awareness of how one comes across or how one appears in a conversation,” Hancock said.

To measure this effect, the researchers asked participants questions such as: “During a video conference, how concerned do you feel about seeing yourself?” and “During a video conference, how distracting is it to see yourself?”

The researchers found that women answered these questions at higher rates than men – a finding that is consistent with existing research that shows women have a greater propensity to self-focus than men when they are in the presence of a mirror. That prolonged self-focus can produce negative emotions, or what the researchers call “mirror anxiety,” Hancock explained.

A simple solution is to change the default display settings and turn off “self-view.”

Also contributing to an increase in Zoom fatigue among women were feelings of being physically trapped by the need to stay centered in the camera’s field of view. Unlike face-to-face meetings where people can move around, pace or stretch, video conferencing limits movement. Another way to address this is to move farther away from the screen or to turn off one’s video during parts of calls.

The researchers found that while women have the same number of meetings per day as men, their meetings tend to run longer. Women were also less likely to take breaks between meetings – all factors that contributed to increased weariness.

The pattern of women being more burned out from videoconferencing than men appears to be robust. “We see this gender effect across multiple different studies, and even after taking into account other factors. It’s a really consistent finding,” Hancock said.

People are falling for more advanced phishing attacks

While the number of employees who fell for phishing attacks only increased by 1% in the last 12 months, people were far more likely to fall for more advanced phishing attacks than they were in 2020.

Over half of employees (52%) said they fell for a phishing email because the attacker impersonated a senior executive at the company - up from 41% reported in 2020. In comparison, click-through rates on phishing emails whereby threat actors impersonated well-known brands dropped. These findings mirror those reported by the FBI, which found that business email compromise attacks (BEC) are eight times more common than ransomware and the losses from these attacks continue to grow year on year.

People were also susceptible to phishing attacks over SMS (smishing), with one-third of respondents being duped by a smishing request in the last 12 months, compared to 26% of those who fell for phishing scams over email. Older employees were more susceptible to smishing attacks; one-third of respondents aged over 55 complied with requests in smishing scam versus 24% of 18-to 24-year-olds.

The consequences for accidental data loss are more severe

On average, a US employee sends four emails to the wrong person every month - and organizations are taking tougher action in response to these mistakes that compromise data. Nearly a third of employees (29%) said their business lost a client or customer after sending an email to the wrong person - up from the 20% in 2020. One in four respondents (21%) also lost their job because of the mistake, versus 12% in July 2020.

Over a one-third (35%) of respondents had to report the accidental data loss incidents to their customers, breaking the trust they had built. Businesses also had to report the incidents to regulators. In fact, the number of breaches reported to the Information Commissioner’s Office, caused by data being sent to the wrong person on email, was 32% higher in the first nine months of 2021 than the same period in 2020.

Employees are fearful of reporting mistakes

With harsher consequences in place, Tessian found that fewer employees are reporting their mistakes to IT. Almost one in four (21%) said they didn’t report security incidents, versus 16% in 2020, resulting in security teams having less visibility of threats in the organization.

Josh Yavor, CISO at Tessian, said, “We know that the majority of security incidents begin with people’s mistakes. For IT and security teams to be successful, they need visibility into the human layer of an organization, so they can understand why mistakes are happening and proactively put measures in place to prevent them from turning into serious security incidents. This requires earning the trust of employees; and bullying employees into compliance won’t work. Security leaders need to create a culture that builds trust and confidence among employees and improves security behaviors, by providing people with the support and information they need to make safe decisions at work.”