We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Many people are returning to the office for the first time in years or moving to a hybrid work schedule. This shift brings new distractions and disruptions: employees must navigate a new working environment or constantly switch between locations while navigating both video and in-person meetings. Business leaders must consider the impact on employees’ wellbeing and, in turn, their cybersecurity behavior.
In a new report from email security company Tessian, nearly half of employees cited distraction and fatigue as the main reasons they made a cybersecurity mistake, up from 34% in 2020. These mistakes are not uncommon — a quarter of employees fell for a phishing email at work in the last year, while two-fifths sent an email to the wrong person — and can lead to costly data breaches, loss of a customer and possible regulatory fines. In fact, almost one-third of businesses lost customers after an email was sent to the wrong person. The stakes for employees are also high: one in four people who made a cybersecurity mistake at work lost their jobs.
In a hybrid work environment, cybercriminals are using advanced techniques to impersonate colleagues and manipulate our behavior. To outsmart them, businesses need to understand how stress, distraction and psychological factors are causing people to fall for these scams.
Why hybrid work and Zoom fatigue lead to errors
After two years of working remotely, people have had to adapt to using new technologies, like video conferencing, daily. As offices reopen, people are constantly context-switching, facing distractions from both the physical office and the virtual, always-on communication that comes with remote work. It’s mentally exhausting. This distraction and fatigue cause people’s cognitive loads to become overwhelmed, and that’s when mistakes happen.
For example, a recent study done by Jeff and his team at Stanford shows how virtual meeting fatigue leads to cognitive overload. In face-to-face interactions, we naturally communicate nonverbally and interpret these cues subconsciously. But over video, our brains have to work much harder to send and receive signals. There’s also the added mental strain of seeing ourselves on camera throughout the day, which can cause added stress. When our cognitive loads are overwhelmed, it is much harder to concentrate, meaning tasks like spotting a phishing scam or double-checking that you’re sending a file to the correct email recipient can be overlooked.
This is when mistakes happen that can compromise cybersecurity. Scammers know this too, and are more likely to send phishing emails later in the working day when a person’s guard is likely down.
Simple fixes can make an impact on employee wellbeing and help ease the exhaustion and distraction that lead to mistakes. Encourage people to take regular breaks between virtual meetings and to step away from screens throughout the day. Instituting dedicated “no meeting days” during the work week and making video optional for meetings where it isn’t necessary can make a positive difference as well. Businesses can also take a data-driven approach by measuring how fatigued a certain team or employee is and offering targeted support. The Stanford Zoom Exhaustion and Fatigue (ZEF) Scale [survey required] is a helpful measurement tool.
How cybercriminals use psychology to manipulate employees
Cybercriminals have developed techniques to manipulate human behavior. One example leverages social proof, the phenomenon that people will conform to the behavior of others in order to be accepted. Social proof is one of the core principles of influence and becomes even stronger when authority is invoked. Cybercriminals know that most people defer to those with authority, which is why impersonation scams are so effective. Combine authority with a sense of urgency, and you have a very compelling and convincing message. In fact, Tessian found that more than half of employees fell for a phishing scam that impersonated a senior executive in 2022.
Another psychological concept attackers leverage is our “known” network. We tend to trust people who are in our networks more than complete strangers. That’s why cybercriminals are now using SMS text messages and chat platforms to send malicious messages. Until recently, only someone we knew could text us, making it a pretty reliable and trusted channel of communication. But now that many people give their phone numbers away when shopping online, and phone numbers have been leaked in data breaches, that’s no longer the case. Text messaging has become just as risky as emailing, with SMS text scams, or “smishing,” costing Americans more than $50 million in 2020.
No matter the platform — SMS text, email or social media — keep an eye out for messages with unusual requests and those that create a sense of urgency. Attackers will often use stressful and time-sensitive themes like missed payments or strict deadlines to make people react quickly. If you know what signs to look for, it’s easier to trust your suspicions when something feels off. From there you can confirm a request verbally with a colleague or call a financial institution directly before clicking on a link.
Knowledge is power
Let’s be clear: the goal here is not to increase fear, stress or guilt around cybersecurity in the workplace. It’s human nature to make mistakes, but hybrid working environments could be causing people to slip up more often.
Only by understanding how factors like stress, distraction and fatigue impact people’s behaviors, and by understanding how cybercriminals manipulate human psychology, can businesses start to find ways to empower employees and ensure mistakes don’t turn into serious security incidents.
Greater knowledge and contextual awareness of threats can help override the impulsive decision-making that occurs when stress levels are high and cognitive loads are overwhelmed, giving people a moment to think twice. If the right steps are taken, employers can better avoid the high stakes of a cybersecurity threat and employees can do their jobs effectively and securely.
Tim Sadler is CEO of Tessian and Jeff Hancock is Harry and Norman Chandler Professor of Communication at Stanford University.