A new survey from Sourcefire has discovered that 90% of UK workers have clicked on a web link embedded in an email.

Considering how many security risks can be posed by this activity, the far more alarming revelation is that 66% of British workers admitted that they very rarely take the time to check whether the link is genuine or not before applying pressure to the left button of their mouse.

Given how many data breaches are hitting the news these days such behaviour is very risky indeed. Clicking on such links can leave individuals open to phishing scams and the threat of malware being downloaded onto their PC. In the business environment social engineering attacks can ensue, leading those behind them into the sensitive areas of corporate networks.

The study, based upon the responses of 1,106 UK workers, analysed click-based behaviour and placed respondents into 3 behaviour-based categories:

• Compulsive Clickers: 46% of surveyed workers fall into the Compulsive Clickers category. According to the research, 24–30 year olds are most likely to click on an unverified web link with 60% admitting that they always or often click.
• Cautious Clickers: 44% of those surveyed are Cautious Clickers who only occasionally click on a web link sent to them and when they do, 23% of them will check to see if the link is genuine. The most cautious are those in the 55+ age rage (47%).
• Never Clicks: Only 10% of those surveyed are in the Never Clicks category who say they would never click on a web link received via an email.

The study also discovered some other worrying types of behaviour amongst UK workers:

• 92% said they would likely trust a link if it appeared to have originated from a trusted source
• only 34% of respondents would take steps to check that a link was genuine before clicking on it
• 5% of the those questioned said they never check whether a link is genuine before clicking it
• Around 10% of the people surveyed didn’t know how to check whether a link was genuine or not.

Sourcefire’s technical director EMEA, Dominic Storey, said,

“It’s frightening to see how easily users can be duped into clicking what looks like an innocent web link, but which can actually give a hacker full control over the user’s computer in a matter of minutes without the victim knowing a thing about it.

For most organisations it’s a case of when they will be subjected to an IT security breach, not if. Professional cybercrime gangs are adept at social engineering using social media to develop a profile of an individuals’ interests and circle of friends to target them, often by pretending to be a friend or family member. They know often the easiest way into any corporate network is via the weakest link in the security chain of an organisation – a staff member.

On a positive note, this survey shows that nearly one third of UK workers are checking the web link is genuine by hovering their mouse over the link so clearly the message is beginning to get through.”

If you are in business anywhere in world (I’m sure the UK results above are likely similar to other countries) then these findings provide a lot of food for thought.

If so many employees are willing to put your business at risk through laziness, willful neglect or a lack of knowledge then how are you going to deal with it?

Perhaps I could suggest that you need to ‘secure the humans‘ in your organisation via a security awareness course?