Stress, Age Play Role in Cyber Mistakes
Human error is known to play a major role in cybersecurity attacks, but why are humans making so many mistakes? That’s what a new study from Tessian investigated, and the results could help cybersecurity teams better address data and network protection as we continue to deal with the pandemic and remote work conditions.
Limiting mistakes is vital to security. According to the study, 43% of human errors have cybersecurity repercussions. While it is easy to toss off those mistakes on behaviors—doing things in a hurry so not paying close attention or falling for a social engineering scam—the Tessian report went deeper into other issues that can play a role in our actions, specifically stress and age.
How Stress Plays Into Cyber Mistakes
Everyone is understandably stressed right now, and if you have children, your stress level has gone up even higher as the school year begins. Not surprisingly, that stress is rolling over into our work. According to the report, half of the respondents said when they are stressed, they tend to make more mistakes. And for that reason, understanding how stress impacts behavior is critical to improving cybersecurity.
“When our cognitive load is overwhelmed, and when our attention is split between multiple tasks, we aren’t able to fully concentrate on the task in front of us such as carefully inspecting an email for malicious cues or double-checking we’ve typed in the right email address. Mistakes, then, happen,” said Tim Sadler, CEO and co-founder of Tessian.
And just as they prey on vulnerabilities in our software and networks, hackers also prey on the vulnerable state of mind in humans. This year, Sadler said, cybercriminals have capitalized on the fact that people are stressed and are looking for information about the pandemic. They are also taking advantage of the struggling economy with too-good-to-be-true offers.
The Role of Age in Cyber Errors
“Our research showed that younger employees were five times more likely to admit to errors that compromised cybersecurity,” said Sadler. “This is not necessarily because they are more careless, though. Rather, it may be because younger workers are more aware that they’ve made a mistake and are more likely to admit they’d made an error.”
Older workers, on the other hand, tend to be more reluctant to admit to cyber mistakes because they feel self-conscious about falling into stereotypes about older generations and technology and want to stay respected. There is clearly wisdom that comes with those years in the workplace, because the research also found that older workers are the least likely to click on links in phishing emails—but, they are also less likely to recognize a phishing email.
“Our report suggests that businesses need to acknowledge that different generations of workers have grown up with technology in different ways, and consequently tailor security training and awareness for different demographics to ensure it truly resonates for each person,” said Sadler.
The COVID-19 Impact
COVID-19 has turned our lives upside down like no other event in most of our lifetimes. One day, things are normal, and the next we’re all working from home, the bottom fell out of the economy and every day seems to bring new cancellations or bad news. With everything going on, cybersecurity isn’t front and center for most people.
“The problem is that the majority of employees say they make more mistakes when they are stressed, tired and distracted. And with almost 60% of workers saying they’ve been more distracted while working from home, it’s likely that people have been more error-prone during this time,” Sadler noted.
Before COVID-19, he added, people were accustomed to separating their spaces: work, home and social. “Your home life is typically a safe space, and you don’t expect to receive threatening emails from a hacker pretending to be your boss when you’re at home, much less emails that could have drastic consequences on your company’s data and reputation. But now, these lines have blurred and we’ve quickly had to learn new ways of operating.”
So how can security decision-makers use this understanding of how stress and age impact our security behaviors to improve overall security for the organization, but especially in remote work? Sadler said we have to recognize that the one-size-fits-all approach won’t work. Security awareness training has to be tailored to the individual employee, not targeted for a large diverse group. Also, companies must develop a security culture where workers are comfortable reporting their mistakes and cyber incidents. Otherwise, the mistakes will repeat themselves.
“Lastly, lead with empathy,” Sadler advised. “People are stressed, overworked and overwhelmed; mistakes are inevitable. People aren’t thinking about cybersecurity, and many of your employees aren’t experts in cybersecurity, so it’s unrealistic to rely on them to be your first line of defense.”
Instead, he said, learn how stress impacts people’s cybersecurity behaviors and modify policies and procedures accordingly. “By warning individuals in real-time,” he added, “you can help override impulsive decisions and stop people making mistakes that could turn into data.”
