When we think about cybersecurity, the focus tends to be on our IT infrastructure and the protective measures we have in place in the digital world. It never occurs to many business owners that human emotions like stress or laziness could have any relevance to their security measures. However, this human element is becoming increasingly important in the modern world.
As our IT security measures grow increasingly robust, cybercriminals are turning their focus to the humans who work within these sophisticated digital environments. This choice makes perfect sense. Why spend days trying to crack a complex password when you can trick an employee into giving it to you in minutes?
Recent social engineering attacks have demonstrated that, like it or not, we humans are often the weakest links when it comes to cybersecurity. Even a highly-skilled, intelligent, and well-trained employee can make a fatal mistake if they are tired, stressed, and overworked. For this reason, it’s crucial for business owners to understand the factors that lead to devastating cybersecurity mistakes and what they can do to minimise their risk.
What is a social engineering attack?
Social engineering is a broad term that covers a variety of attack styles. The core feature these attacks share is that they can only be accomplished through some form of human interaction. To achieve this, cybercriminals use psychological manipulation and every tactic in the con artist’s playbook to trick people into giving up their credentials or other sensitive information.
This attack style is effective because it relies on something we’re all prone to – human error. However, criminals don’t just play the odds and wait for mistakes they can exploit. Instead, they develop strategies designed to make a lapse of judgment far more likely.
Social engineering attacks are designed to elicit a strong and sudden surge of fear, curiosity, or desire. These intense emotions tend to bypass our rational processes, triggering us to act before thinking things through.
If you’ve ever poked around in your spam folder, you’ve likely seen emails claiming that your account has been suspended due to suspicious activity (fear) or an exiled prince wants to share his inheritance with you (desire). If an acquaintance has ever had their social media account hacked, you’ve probably seen them sharing “news” of a disaster in your area or a get-rich-quick scheme involving some celebrity (curiosity). Such attacks are designed to make you click first and think later. And they aren’t reserved for your personal email or social media accounts. Crime syndicates and individual hackers are increasingly targeting businesses of all sizes via their employees.
Training and updates on the latest attack variants are excellent strategies because they prime your brain to recognise red flags and short-circuit the emotional response. However, even the most well-prepared employee can miss an obvious threat when operating under duress.
How do stress and laziness contribute to cybersecurity risks?
Here, we’re talking about laziness as an emotion, not a set character trait. Few people are incorrigibly lazy. Instead, a sense of laziness tends to arise when we lack crucial knowledge and don’t enjoy transparency in the workplace. When policies aren’t clear, training isn’t provided, and resources aren’t readily available, many employees will just take the path of least resistance, putting in the least amount of effort required to keep their job and paycheck. Such employees generally don’t have cybersecurity on their minds when performing their duties. So, they may not think to check the origin of an email or message before clicking a link or downloading a file.
Stressed employees also present a significant cybersecurity risk, especially if the condition becomes chronic. According to research published in Frontiers in Behavioral Neuroscience, decision-making is one of the first cognitive functions to be negatively affected by stress. Specifically, risk-based decision-making is significantly impaired, as is a person’s sensitivity to contextual details.
So if an employee is rushed, time-poor, and impaired by the burden of stress, they’re far more likely to miss signs like spelling errors and unusual email addresses that indicate a social engineering attack. A stressed-out employee is also far more likely to have a heightened response to fear, desire, or curiosity triggers, increasing the likelihood that they might click before they think.
How can you reduce your risk of social engineering attacks?
Of course, it’s still crucial to have a robust IT security system in place. However, the technological side must be balanced by an equally robust strategy to address the human component of cybersecurity. Think about it like this: You could upgrade from keys and locks to the world’s most sophisticated biometric access system, but if one of your employees holds the door open for an intruder, all that expensive, high-tech equipment won’t keep them out. The same is true in the digital world.
If an employee doesn’t have a clear policy to fall back on, they may default to politeness and hold the door open, even if they don’t recognise the person asked to be let in. Similarly, if employees don’t have clear cybersecurity policies to guide them, they may default to the way they handle cybersecurity at home. With recent research revealing that 51% of people use the same passwords for personal and work accounts, 57% of phishing attack victims don’t change their log-in credentials, and 23 million account holders still use 123456 as a password, this should be a major cause for concern.
Thankfully, you can change these default settings by giving your team easier options to fall back on. This means developing clear policies and procedures to follow. These documents must be concise, easy to read, and accessible on all work devices. It’s also crucial to back them up with regular training on your company’s cybersecurity best practices and the latest threats to look out for.
The bottom line? Make it ridiculously easy for your team to follow protocols that will keep your system, devices, and data safe. Of course, that means you will need to put the work into developing those protocols, best practices, and training modules.
If you want to take the hard work and stress out of maintaining your cybersecurity standards, Invotec is here to help. Our fully certified IT consultants can guide you through your options, answer any questions you may have, and put your mind at ease about the security of your precious data. Use the contact form below or call 1300 468 683 to get in touch.
