Working professionals are blaming stress, time pressure, fatigue and distractions for lapses in safe cyber practices – and current conditions caused by the Covid-19 pandemic may only be exacerbating the problem.
According to a newly published research report from Tessian, a survey of 2,000 working professionals in the U.S. and UK found that 43 percent said they were "pretty" or "very" certain that they made a mistake at work that resulted in security repercussions. More than half of the survey-takers – 52 percent – said that they make more mistakes when stressed, while 43 and 41 percent said that mistakes are more likely when they are fatigued or distracted, respectively.
Consequently, companies need to be more observant of employees’ needs, workloads and stress levels, and the impact that such stress causes, said experts. They also may wish to invest in more security training and threat detection solutions that cut down on human error.
A quarter of survey respondents said that at some point during their career they have fallen for a phishing email at work. Being distracted was blamed for 45 percent of these phishing clicks – more than any other reason, including tactics by the cybercriminals themselves (e.g. the email looked legitimate or appeared to come from a senior member of the organization).
In other words, these wounds are often self-inflicted due to burdens and distractions that can impair judgment and cognition. And on some level, cybercriminals know this.
Dr. Margaret Cunningham, principal research scientist at Forcepoint, reminded SC Media in an interview that “one of the most common features of phishing language is the use of time pressure and threats… If stress and time pressure did not contribute to people making mistakes – like clicking a link or sharing credentials – the prevalence of time pressure and threatening language in phishing emails would not be so profound.”
In its report, Tessian suggests that workers are more distracted than ever due to remote working conditions spurred on by the Covid-19 pandemic. Indeed, 57 percent of workers said that they’re more distracted when working from home.
“Working in unusual environments can be stressful and distracting. Prior to the pandemic, people were used to operating in distinct spaces – home, work, social – and we had different ways of understanding the world in each space. The events of 2020 mean these spaces have blurred, and we’ve had to quickly learn new ways of operating, and this has its challenges,” said Jeff Hancock, Harry and Norman Chandler Professor of Communication at Stanford University and an expert in trust and deception who collaborated with Tessian on the survey project.
“When I’m at work, for example, I adopt my ‘superhero’ persona; I’m confident and I’m alert. When I’m at home, though, my shield is down,” Hancock continued in the report. “I don’t expect to receive a threatening email from a hacker pretending to be my boss, demanding an urgent request. And as the cues for me to adopt my ‘work mode’ shield aren’t there, I might not react in the way I would while at the office.”
Cunningham said that when faced with new working conditions, “we are forced to devote more attention to what we’re doing,” which at first “can result in making fewer mistakes” – at least until the process becomes more routine.
However, “The nature of work from home routines may be riskier than the process of changing to a new routine,” she continued, because “we’re less likely to follow basic cyber hygiene practices at home such as locking our screens, logging into VPNs and using strong passwords, because we feel safe and comfortable at home. Working from home may also mean using less secure home networks and using corporate machines for personal reasons.”
Another security gaffe covered in the survey is sending an email – potentially with sensitive information – to the wrong recipient. Forty-four percent of respondents identified feeling tired as a reason they made this error, 41 blamed being distracted, 36 percent said they weren’t paying attention and 34 percent said it was because they were under pressure to send an email quickly.
“Chronic interruptions and distractions are stressful, even if they don’t necessarily increase the amount of work a person needs to complete. Interruptions can also increase perceived time pressure, and lead to feeling overwhelmed when the interruptions stack up and increase our cognitive load…” said Cunningham.
“When we are mentally overloaded, or when our attention is split between multiple demands, we’re more likely to be forgetful or to be unable to fully concentrate on difficult tasks. This may result in mistakes, or perhaps more commonly, a task taking much longer than it normally would.”
Time pressure appears to be a particularly notable factor within certain industries. Eighty-five percent of respondents that operate within the tech industry and 77 percent who work in the financial sector said they are expected to respond to emails quickly. These two industries had the largest percentage of employees who have clicked on a phishing email at work (47 and 45 percent).
But what to do about this? How do organizations compensate for “brain drain” in employees?
"While there is no question that 2020 has been a stressful environment for many employees, leading to the kinds of mistakes described in the [report], our experience suggests that an embedded culture of cybersecurity awareness will help to minimize the kinds of incidents referenced in the article," said Bill Santos, president and COO of Cerberus Sentinel. "Strong messaging regarding the real and present threat of cyberattacks -- especially those... targeted at end users -- delivered on a repeated, consistent basis and supported by regular testing and assesssment, is the single most important step an organization can take to reduce the risk of these kinds of events, regardless of the location of the individual employee."
"As humans, we are all fallible, so it's not uncommon for employees to make errors which impact cybersecurity of the organizations they work for," said Javvad Malik, security awareness advocate at KnowBe4. "It's therefore important to continually test as well as educate employees so that their behavior changes. How they act is far more important than what they know -- so the focus of organizations should be behavior change, so that even under times of fatigue, stress or distraction, they are more likely to make the right decisions."
Cunningham acknowledged that “training that challenges employees and creates ongoing learning opportunities” can help create a “baseline of workforce understanding and resiliency.” However, “they can’t address the underlying issue: Humans have a finite amount of memory and attention. Some of the reasons we make mistakes are that we aren’t paying or can’t pay close enough attention to the task at hand, we are forgetful, we have the wrong amount of information… or we perceive something to be valid and it’s not. Our current physical, mental and environmental state can contribute to whether we can pay attention, remember, and think critically -- variables that training cannot address.”
To help address this, companies can invest in tech solutions designed to provide another layer of security beyond the human element, Cunningham suggested.
These might include threat detection tools designed to flag suspicious inbound emails that constitute a malware or account takeover threat. Companies could also invest in DMARC policies to prevent spoofing schemes.
But at the same time, companies must also “recognize and respective employee boundaries,” Cunningham added.
“Employees perform better and make fewer mistakes when they aren’t burnt out and overwhelmed,” Cunningham continued. “Examine your corporate culture and identify whether or not the implicit or explicit social rules that exist in your organization contribute to a healthy workforce.”
“Understanding how stress impacts behavior is critical to improving cybersecurity,” said Hancock in the report. “In 2020, people have experienced extremely stressful situations that have affected their health and finances, against a backdrop of political uncertainty and social unrest, while simultaneously juggling the demands of their jobs. It’s been overwhelming.”
“The problem is that when people are stressed and distracted, they tend to make mistakes or decisions they later regret,” Hancock continued. “And sadly, hackers prey on this vulnerability. Businesses need to educate employees on how hackers might take advantage of their stress and explain the scams people could be susceptible to.”