UK Employees Are More Concerned About Replying to Their Boss Than Safeguarding Business from Cyberattack
September 2019 by Webroot
New research from Webroot, a Carbonite company, revealed that 61% UK office workers would open an email appearing to be from their boss first, followed by a message from a family or friend, despite potentially putting the entire organisation at risk.
The research report titled ‘Hook, Line and Sinker: Why Phishing Attacks Work’ analysed the psychological factors impacting an individual’s decision to click on a phishing email. A sense of urgency combined with a familiar context are strong incentives for employees to open potentially malicious correspondence.
Phishing is the most popular method of cyberattack in the UK(1) and Webroot’s research has found that over three-quarters (77%) of office workers reported receiving a phishing email at work. However, following an attack, cybersecurity processes fall apart as 40% did not bother changing their passwords and fewer an a third (29%) failed to report these emails to the government.
In addition, this lack of cybersecurity awareness extends to other tactics that can be used in a phishing attack. While the majority of employees (89%) felt confident in identifying malicious emails, only half (50%) correctly identified phone calls as vulnerable to phishing attacks, and even fewer recognised post mail (42%), app notifications (41%) or video chat (28%).
Read the full ‘Hook, Line and Sinker: Why Phishing Attacks Work’ Report
Additional Highlights from the research:
Nearly two-thirds (61%) of respondents are most likely to open an email from their boss first, compared to:
• 54% who would first open a message from a family member or friend
• 28% would first open a request from their bank to confirm a transaction
• 27% person would first open a message with a discount offer from a store
Despite new communication and collaboration tools, UK employees are still facing an uphill battle when it comes to controlling email inboxes, something that cybercriminals are more than happy to take advantage of.
• UK office workers receive an average of 62 emails every workday, with 40% receiving over 35.
• A strong majority of UK office workers (85%) click at least one link in an email.
• 40% of UK office workers click over 25 work-related links a day, including 17% who click more than 50.
Over half (54%) of participants say they have had their personal or financial data compromised, but many fail to take basic cyber hygiene action following that exposure.
• In the wake of a data exposure, only:
o 60% of participants changed their passwords
o 47% ordered a new credit card
o 37% Set up alerts with my credit agency
o 29% informed a government agency about the breach or hack
Security habits are leaving businesses vulnerable:
• Over half (59%) of participants admit to clicking on a link from an unknown sender while at work, with one third of those (33%) doing so more than once.
• Of those who clicked a link from an unknown sender at work:
o A majority (72%) did so via email
o 34% clicked on links via social media
o 28% clicked on links sent via text or SMS
Paul Barnes, Vice President Product Strategy & UX, Webroot:
“Cybercriminals weaponise the simple act of clicking and use psychological tricks to inspire urgent action. A high-pressure office environment coupled with a desire to appear responsive to the boss will encourage an ‘act first and think later’ attitude, potentially putting valuable data at risk.
Organisations must implement regular simulated phishing attacks that address the various ways hackers attempt to breach businesses through their employees. A layered security approach that includes consistent training is essential. Armed with this approach, IT Security departments can tackle the people, process and technology needed to successfully mitigate attacks.”
Cleotilde (Coty) Gonzalez, Ph.D., Research Professor, Carnegie Mellon University
“The way we make decisions is based on perceived risk and potential reward. For employees, they perceive phishing to be an uncommon event, so they mentally decrease the likelihood of this occurring.
“When faced with an email from the boss, the perceived risk associated with not responding feels more immediate. Employees can visualise the potential personal effect and this spurs them to take an action. In this case, the risk that the sender may not be legitimate is outweighed by the risk of getting into trouble and losing face.”
(1) UK Government Cyber Security Breaches Survey 2019 (Published 3rd April 2019)