TAPPED Out report reveals why we make bad security decisions: phones, location and lunch

We know that humans make bad security decisions, and a new report — TAPPED Out from security awareness firm KnowBe4 — helps to explain why. We can summarise its findings in three words: phones, location and lunch.

The TAPPED Out survey not only investigates factors that influence cybersecurity behaviours but also provides answers to help businesses mitigate the mistakes that poor security culture can lead to.

The TAPPED stands for tired, angry, pissed, pressed, emotional and distracted. It analyses security culture across 6,000 office, remote and hybrid employees in the UK. And its results are worth listening to.

Security out for lunch

First, a finding that might surprise managers: working locations make little difference to whether employees make security-aware choices. KnowBe4 found that 82% of hybrid, 84% of in-office and 85% of remote workers admitted to the failing. Uniformly bad, in other words.

Across the board, however, better security decisions were made before, rather than after, lunch.

This is most apparent for in-office workers, where 32% paid closer attention to cybersecurity before lunch compared to 21% after. Remote workers revealed the least difference (34% and 29%) with hybrid workers (32% and 24%) in the middle.

Could it be that when working in an office people have a glass or two of something alcoholic at lunch? Sadly, that is not within the scope of the report.

When it comes to taking responsibility for an organisation’s cybersecurity, the difference between workers in-office and either hybrid or at home is more stark: 21% compared to just 14%.

Danger of distractions

Distractions can make it far more likely (39% confirmed this in the research) for links in phishing emails to be clicked or malicious document attachments opened. So what are the distractions?

Phones come top of the list, be it calls or notifications. 39% of remote workers listed phones as their biggest distractions, rising to 45% for in-office and hybrid employees.

Unsurprisingly, deliveries impacted most on home (28%) and hybrid (26%) staff. Only 15% of full-time office staff listed deliveries as a distraction.

Stress leads to bad security decisions

Stress, regardless of working location, was stated by 35% as being a factor in making bad cybersecurity decisions.

“With email apps easily accessible on our phones, it has become a bad habit among many of us to scroll through our unread messages while on our daily commute, on holiday or even at our local pub late on a Friday evening,” says Javvad Malik, lead security awareness advocate at KnowBe4.

“However, it’s in times like these that we are most likely to be distracted or emotional, and make a mistake — whether by sending off a poorly written email, cc’ing the wrong recipients or clicking on a phishing link.”

How to improve security culture and decisions

KnowBe4 suggests a number of methods to avoid distractions that can lead to poor cybersecurity awareness:

  • Determine what personal best practices look like for your workday
  • Schedule time for emails instead of leaving an email inbox open all the time
  • Prioritise your day by writing down the most important tasks/projects to be completed
  • Turn off notifications on your cell phone
  • Handle emails immediately instead of leaving them for later to save time

“While this survey highlights the changes in our working environment and how employee behaviours might be putting companies at greater risk of a cyber attack/incident,” Malik concludes, “it also provides greater insight into when best to educate the workforce with the necessary security awareness to help them, and their organisations, make better decisions.”

Related reading:

Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.