Understanding how stress impacts your employees’ cybersecurity behaviors could significantly reduce the chances of people’s mistakes compromising your company’s security, our latest research reveals.
Consider this. A shocking 93% of US and UK employees told us they feel tired and stressed at some point during their working week, with one in 10 feeling tired every day. And perhaps more worryingly, nearly half (46%) said they have experienced burnout in their career.
Then consider that nearly two-thirds of employees feel chained to their desks, as 61% of respondents in our report said there is a culture of presenteeism in their organization that makes them work longer hours than they need to. Nearly 70% of employees also agreed that there is an expectation within their company to respond to emails quickly.
Employees are overwhelmed, overworked and are feeling the pressure to keep pace with their organization’s demands.
“61% of employees say a culture of presenteeism in their company that makes them work longer hours than they need to.”
The effects of the pandemic
The events of 2020 haven’t helped matters either. In the wake of the global pandemic, people have experienced extremely stressful situations that affected their health and finances, against a backdrop of political uncertainty and social unrest, while simultaneously juggling the demands of their jobs. The sudden shift to remote working also meant that people were surrounded by new distractions, and over half of respondents (57%) told us they felt more distracted when working from home.
According to Jeff Hancock, a professor at Stanford University who collaborated with us on this report, people tend to make mistakes or decisions they later regret when they are stressed and distracted. This is because when our cognitive load is overwhelmed, and when our attention is split between multiple tasks, we aren’t able to fully concentrate on the task in front of us.
What does this mean for security?
Not only are these findings incredibly concerning for employees’ health and wellbeing, these factors could also explain why mistakes that compromise cybersecurity are happening more than ever. The majority of employees (52%) we surveyed said they make more mistakes at work when they are stressed.
Younger employees seem to be more affected by stress than their older co-workers, though. Nearly two-thirds of workers aged 18-30 years old (62%) said they make more mistakes when they are stressed, compared to 45% of workers over 51 years old.
Our research also revealed that 43% and 41% of employees believe they are more error-prone when tired and distracted, respectively. In fact, people cited distraction as the top reason for why they fell for a phishing scam at work while 44% said they had accidentally sent an email to the wrong person (44%) because they were tired.
While these mistakes may seem trivial on the surface, phishing is the number one threat vector used by hackers today and one in five companies told us they have lost customers as a result of an employee sending an email to the wrong person. Far from red-faced embarrassment, these mistakes are compromising businesses’ cybersecurity.
“41% of people say they make more mistakes at work when they are distracted. ”
The other problem is that hackers are preying on our vulnerable states, and using them to their advantage. Cybercriminals know people are stressed and looking for information about the pandemic and remote working. They know that some individuals are struggling financially and others have lost their jobs. The lure of a ‘too-good-to-be-true’ deal or ‘get a new job fast’ offer may suddenly look very appealing, especially if the email appears to have come from a trusted source, and cause people to click.
So what can businesses do to protect employees from mistakes caused by burnout?
Business and security leaders need to realise that it’s unrealistic for employees to act as the company’s first line of defence.
You cannot expect every employee to spot every scam or make the right cybersecurity decision 100% of the time, particularly when they’re dealing with stressful situations and working in environments filled with distractions. When faced with never-ending to-do lists and back-to-back Zoom calls, cybersecurity is the last thing on people’s minds. In fact, a third of respondents told us they “rarely” or “never” think about security when at work.
Businesses, therefore, need to create a culture that doesn’t blame people for their mistakes and, instead, empowers them to do great work without security getting in the way. Understand how stress impacts people’s cybersecurity behaviors and tailor security policies and training so that they truly resonate for every employee.
““Understanding how stress impacts behavior is critical to improving cybersecurity."”
Educating people on how hackers might take advantage of their stress and explaining the types of scams that people could be susceptible to is an important first step. For example, a hacker could impersonate a senior IT director, supposedly communicating the implementation of new software to accommodate the move back into the office, and asks employees to share their account credentials. Or a hacker may pose as a trusted government agency requesting personal information in relation to a new financial relief scheme.
Businesses should also implement solutions that can help employees make good cybersecurity decisions and reduce risk over time. Security solutions like Tessian use machine learning to understand employee behaviors to alert people to risks on email as and when they arise. By warning individuals in real-time, we can educate individuals as to why the email they were about to send or have received is a threat to company security. It helps to make people think twice before they do something they might regret.
With remote working here to stay, and with hackers continually finding ways to capitalize on people’s stress in order to manipulate them, businesses must prioritize cybersecurity at the human layer. Only by understanding why people make mistakes that compromise cybersecurity, can you begin to prevent burnout from causing your next data breach.