COVID-19 has exposed human vulnerabilities to cyberthreats. Here’s how organisations can help protect their people.
The past seven months have played out like a blockbuster movie, one where the credits never roll. Day by day our lives have changed dramatically, and so too have the ways we work. For many organisations and individuals, the biggest challenge has been adapting to working from home on a scale that was unimaginable back in March.
- Accenture’s COVID-19 Pulse research uncovered how these strange times have altered our day-to-day work habits, emotions and behaviours. Many of us are experiencing negative impacts to our psychological wellbeing and mental health.
- Anxiety regarding our health, jobs and the economy has hit the best of us.
- Virtual working is making us feel isolated.
- Fear is making us feel unsafe.
<<< Start >>>
<<< End >>>
Cyberthreats in the age of COVID-19
Given my background in psychology, I’ve been intrigued by the way these changes expose human vulnerabilities to cyber threats and undermine organisational cyber resilience. Criminals have been quick to exploit the opportunities presented to them and have looked to create new attacks in the context of the pandemic to expose our vulnerabilities.
This is most apparent in the fact that phishing emails spiked by over 600% during the early weeks of the pandemic. From spoofing the World Health Organization (WHO) to obtaining the personal data of vulnerable people, through to urging banking customers to “act now” ahead of COVID-19 account lockdowns, criminals have capitalized on the fear and uncertainty of the pandemic. Their work has demonstrated in the starkest terms that cyberattacks are not just about hacking computers; they are about hacking hearts and minds.
Behavioural research explains why such approaches work. When it comes to making cybersecurity decisions, stress and a heavy cognitive load increase the propensity of people to take risks, think less rationally and be more trusting of scammers. Research also suggests that stressful contexts can instil feelings of resentfulness and annoyance toward cybersecurity policies, which encourages complacent behaviours.
Recent data from Accenture points to remote worker fatigue – tired and frustrated workers will be increasingly less motivated to follow security policies, no matter how important. Homeworking and the increased physical distance between employees have also provided a sense of reduced oversight. Coupled with financial insecurity and job losses, the conditions for some employees may also be highly inducive to malicious insider activity.
We must also factor in that, as scientific studies have shown, the human brain has a tendency to make fast decisions and take the path of least resistance. This is not good news when it comes to human-led cyber resilience, particularly where organisations have failed to provide a seamless shift to remote working. Recent data from Accenture indicates that only 29% of workers have been offered new digital tools to enhance their remote working capability, and over one third are expected to use their own personal devices for remote work. This opens up significant vulnerabilities.
The good news is that the cybersecurity industry is taking note. A virtual roundtable conducted by Accenture Cybersecurity Forum (ACF) earlier this year explored how security executives are adjusting security controls. For me, the most important takeaway from the discussion is that Chief Information Security Officers recognize that no technology can replace the security provided by appropriate human behaviour.
Cultivating a security-conscious culture
When it comes to driving cyber-secure behaviours across the workforce, mandatory cyber security training and generic awareness campaigns are unlikely to hit the mark. What’s more, research has revealed that security campaigns based purely on fear tactics are unlikely to be effective, particularly in the absence of strategies which empower individuals to make cyber-safe decisions.
So, what can organisations do to protect their workers and their systems? Drawing upon behavioural science, we can utilise techniques such as “nudging” to create compelling communications which people really hear, changing mindsets and driving cyber-safe actions. In addition, we can create learning experiences which help employees understand how to spot red flags and how to respond, using methods such as performance simulations which encompass “brain friendly” learning principles.
As I’ve alluded to, helping people adapt to remote working with the right tools and removing potential sources of “friction” is important in maintaining cyber resilience. Leaders can also play a role by assessing known organizational levers of cyber behaviour, such as the extent to which their company has a “security first” culture. Leaders can also explore the extent to which business processes and frameworks surrounding consequence and performance management reinforce and motivate those behaviours.
Ideally, companies should target behavioural interventions where they are needed the most and aim to stop harmful behaviours before damage is done. Moving away from reactive and one-size-fits-all strategies, to predictive approaches with proactive intervention will be a key differentiator for high performing organisations. For our clients, this activity is supported through our Cyber Security Behaviour Assessment (CyBA) diagnostic tool, which helps pinpoint high risk areas based on behavioural data. The approach paves the way for targeted human-centered strategies, using a toolkit of behavioural science techniques to support proactive intervention before it’s too late.
Given that 99% of cyber-attacks require human interaction to succeed, and given what we know about how people think and behave in relation to cyberthreats, it seems like a no brainer to include behavioural change programs as part of a broader cybersecurity posture. And now, with human vulnerabilities more exposed than ever, implementing such approaches has taken on a new sense of urgency.
See more on Workforce