We can all admit that 2020 has been a stressful year. But how have these increased levels of stress impacted cybersecurity at businesses across the country?
Recent data from Tessian found that nearly half of employees say they’ve made a mistake at work that has compromised their company’s security. But even more worrisome, 52% of employees say they make more of these security-related mistakes when they’re stressed.
The shift to remote work during COVID-19 has only increased the risk of threats caused by human error. Cybercriminals have capitalized on the fear and uncertainty of 2020 to make their targeted scams all the more convincing. The Twitter breach this summer shows just how disruptive and large-scale these targeted attacks have become.
It’s easy to place the blame on employees, but this overlooks important factors that can help businesses prevent these scams from leading to a breach. Psychological factors such as stress, distraction and burnout can cause employees to make security mistakes. To prevent these errors, businesses must understand how stress impacts employee behavior and how hackers take advantage of it.
How stress and distraction impact cybersecurity behavior
Remote work can contribute to employee stress: a survey by Monster found that more than two-thirds of U.S. workers experience burnout symptoms while working from home. The always-on demands of remote work and a culture of presenteeism put a lot of pressure on remote employees. These factors have an impact on how we all make sound cybersecurity decisions and respond to threats in high-pressure situations.
Meanwhile, distractions can also make employees more error-prone. Tessian research found that 41 percent of employees believe they are more likely to make mistakes when distracted, and even cited distraction as the No. 1 reason they fell for a phishing scam at work.
These factors can cause employees to make mistakes that could compromise cybersecurity, like sending sensitive information to the wrong person or accidentally clicking a spam link. Stress and anxiety, for example, can impair people’s ability to weigh the risk/reward factors of a situation and make smart, considered decisions. When people are distracted, they split their attention between multiple tasks and their cognitive loads become overwhelmed and mistakes happen.
Here are three ways businesses can prevent stress from causing security incidents:
- Align cybersecurity awareness with employee goals.
Amid to-do lists, deadlines and distractions, it’s no wonder that most employees don’t have protecting company data and systems top-of-mind. That’s why consistent training and awareness are so important. But this training can succeed only if it truly resonates with the individual and if employees view it as a way to keep them productive, not as disruptive or another task on their to-do lists. Security training should not get in people’s way. Instead, cybersecurity should feel like it dovetails with achieving their goals at work and driving success for them and their company.
- Use psychology to inform cybersecurity training.
Academics report that people learn best when they get fast feedback and when that feedback stays in context. So, educational alerts to security threats as they happen, for example, can help override impulsive decision-making by offering people the right information exactly when they need it. Explanations about why incidents are threats can also help improve people’s cybersecurity behaviors. By teaching the tactics hackers use against them, like out of the ordinary requests, urgent subject lines and spoofed email addresses, people can recognize when they are the targets of phishing scams.
- Take the pressure off employees.
Businesses must empathize with what their employees are going through today. It’s unrealistic to expect people to make the right cybersecurity decision 100 percent of the time, especially when they work from makeshift offices in their homes, are distracted by their children or roommates, and feel anxious about real-world events in the news. Instead, find ways to prevent mistakes from happening so company data and systems remain secure and people feel empowered to do their best work without security getting in the way.
A security culture based on human-first, psychology-led principles means understanding how stress, fast-paced working environments and distractions can cause employees to overlook the warning signs of a hack. If businesses are going to improve cybersecurity behaviors, training must center on how people learn most effectively. By empowering employees with the right knowledge, companies can prevent data security mistakes before they happen.
Jeff Hancock, Harry and Norman Chandler Professor of Communication, Stanford University; Tim Sadler, CEO, Tessian