Why Bullying Employees Into Compliance Won’t Work
Security leaders need to understand that people working from home require more than technological support to improve security
The majority of compromises start from human error – such as falling for a phishing attack. But despite increased awareness spending and training, such failures are continuing and the effects are worsening – and it may partly be due to the new hybrid home/office work paradigm.
Email security firm Tessian surveyed 2,000 security professionals (1,000 in the US and 1,000 in the UK) aged from 18 to 51+ for the latest edition of its Psychology of Human Error (PDF) report. It found that mistakes are still being made, but more are unreported than they were two years ago – that is, before the pandemic accelerated the move to hybrid working.
More than a quarter of the employees fell for a phishing email. More than one half of these said the email impersonated a senior executive at their company – which was a 41% increase over 2020.
Two-fifths of employees have sent an email to the wrong person, leading to the business loss of a client or customer in almost one-third of cases. According to Tessian, 21% of employees who made a cybersecurity mistake lost their job. This may partly explain the most worrying statistic: the number of employees who did not report their mistake to the IT team rose from 16% to 21%.
The continuing success of social engineering attacks is partly due to more advanced malicious techniques, and partly due to the different pressures of home working. Two recognized effects of remote working are ‘presenteeism’ and ‘distraction’. The former is the tendency to work longer hours to avoid any perception of slacking. This leads to tiredness. The latter is inevitable when kids and pets may continually interrupt.
The result is an unrecognized cognitive overload that is more likely to be experienced in the home environment than in the office environment. The human brain is only capable of processing a certain amount of information – it cannot handle both work and distractions simultaneously. Switching between the two – especially when tired – can lead to mistakes.
“With the shift to hybrid work, people are contending with more distractions, frequent changes to working environments, and the very real issue of Zoom fatigue – something they didn’t face two years ago,” says Jeff Hancock, the Harry and Norman Chandler Professor of Communication at Stanford University. “When distracted and fatigued, people’s cognitive loads become overwhelmed and that’s when mistakes happen.”
Cybercriminals have never been slow to recognize new opportunities, and seem to have adapted their attacks to the new environment very rapidly. The increase in phishing attacks purporting to come from a business superior may partly be due to the general increase in BEC attacks, but may also reflect an understanding that remote workers expect to receive these emails. They may even welcome them as a connection to the wider team; and to some extent, the work email is a substitute for a few minutes at the office water cooler.
A second increase in social engineering attacks is smishing. “We found that the number of smishing attacks increased dramatically during the pandemic, and 56% of people we surveyed said they received a scam via text message in the last 12 months.” This growth may be organic simply because it is successful, or it may be in response to employees’ greater tendency to use a mobile phone in the home environment than in the office environment. Either way, 32% of employees clicked on a smishing attack, while ‘only’ 26% clicked on a phishing attack.
Overall, the Tessian survey did not find a huge increase in the volume of successful phishing and scamming in the hybrid workplace, but did detect subtle changes in the methods used by cybercriminals. In general, the attacks are more sophisticated and more directly targeted against home workers and the different pressures of working from home.
The growth in not reporting a mistake can be seen as the combined effect of being absent from the office, and more exposed to both criticism (which is part of the cause of presenteeism) and the fear of being sacked because of it (which is growing).
Not reporting mistakes can lead to greater problems down the line, and simply adds to the security tram’s lack of visibility into remote working. Sacking employees because of mistakes further adds to an already high attrition problem in a time of general skills shortage.
Security leaders need to understand that people working from home require more than technological support to improve security. More than ever, security is a people problem, and the people as well as their devices require additional support.
“This requires earning the trust of employees,” explains Tessian’s CISO, Josh Yavor. “Bullying employees into compliance won’t work. Security leaders need to create a culture that builds trust and confidence among employees and improves security behaviors, by providing people with the support and information they need to make safe decisions.”