Once again, phishing retains its number one spot in the top attack vectors used by cybercriminals. Just last month the Government's latest annual cyber breaches survey reported that 79% of businesses experienced a phishing attempt over the last 12 months. Yet, despite phishing remaining the biggest threat to individual's and company’s security and safety, this form of social engineering has been overshadowed by more sophisticated forms of attack, like ransomware, grabbing the headlines with the ransom demands that follow.
The reality though is that phishing is still the main culprit for catching out employees, who are falling victim to malicious activity, and according to the KnowBe4 benchmarking report, 1 in 3 employees are likely to fall for a phishing attack when they’re not cybersecurity trained.
With phishing emails sent out on mass, cybercriminals are relying on employees either lacking in cyber awareness or being too busy to spot the small discrepancies in the messages that highlight that it’s a trick. However, as phishing continues to rise with 52% of employees admitting to falling victim to a cyber-attack, the chances one of your team will be the cause of a breach is greater today than ever. And the consequence this crime could have on their wellbeing, and the wider workforce’s productivity, could be significant.
Employee mental health
So, with prevalence of phishing remaining high, what is the impact of all of this in the workplace and on employee’s mental health?
To set a perspective, it’s always useful to start sensitive conversations like this with an example. Unfortunately, people fall victim to scams on a daily basis, whether it’s a supposed cold call from your bank or a door-to-door ‘salesperson’ pretending to be from a company that turns out to be fake. There are those too who hide behind the smoke screen of the internet to exploit victims for monetary gain. All these fraudulent acts are opportunistic, built on the expectation that nine times out of ten you won’t pick up the phone, or answer the door, but on the off chance that one day you will, because you need the service they are trying to sell. This is the same approach taken by criminal gangs that use phishing tactics.
With phishing emails sent out on mass, cybercriminals are relying on employees either lacking in cyber awareness or being too busy to spot the small discrepancies in the messages that highlight that it’s a trick. However, as phishing continues to rise with 52% of employees admitting to falling victim to a cyber-attack, the chances one of your team will be the cause of a breach is greater today than ever. And the consequence this crime could have on their wellbeing, and the wider workforce’s productivity, could be significant.
Kelly Allen is Chief Marketing Officer for Core to Cloud.
The effects of a cyber attack
A Sage Open report published in 2021, ‘suggested that hacking victims may experience many of the same psychological impacts as those experienced in traditional crime’ including anxiety, an increased sense of vulnerability, fear and sense of helplessness, loss of trust and sense of violation. A further study also suggests victims feel a sense of guilt, and negative responses from ‘their employers’ either exacerbated or ameliorated these negative emotions’. Workers that have fallen victim to a cyber-attack will be worried about the impact the breach is going to have on their colleagues, what the cost will be, both financially and reputably for the company, and what the outcome of all of this will mean. Will there be loss of business and as such what is the consequence of this? Are jobs at risk, is their job at risk?
Yet, despite this effect on wellbeing, research shows that cybercrime victims at work are not afforded the same compassion as someone who has suffered from a traditional crime like burglary or fraud despite the crimes having the same end goals, to strip the targeted parties of their finances and assets.
Instead, employees are made to feel shamed, guilty and alienated. According to the Psychology of Human Error last year 21% of 2,000 US and UK workers were even sacked after making a mistake that compromised their company’s security. This was up from 12% the year before.
Business leaders need to consider the wider, knock-on effect on employees of taking such a hard course of action. The blame culture this creates, and how other members of staff feel when they see a colleague isolated and made a scapegoat. Having a clear and positive policy and process in place around how the company responds to the incident and handles the employee in question could make all the difference to the company’s recovery, reputation and productivity.
So, what is the solution?
A change in attitude to successful phishing attempts is a must. Sacking and other disciplinary methods don’t have to be the answer. Organizations need to understand that employees are only human and they need to work collaboratively to reduce the risk of them falling victim. Employers need to remove the blame game and understand it is their responsibility to educate and protect their workforce. They need to instill a culture that cybersecurity is a collective, organizational concern that doesn’t fall on the shoulders of the individual.
The Government’s recent breaches survey highlighted that only 19% of 2,263 UK businesses surveyed tested staff with mock cybersecurity exercises. This figure could suggest that organizations aren’t taking phishing seriously enough or they have other priorities, which is more likely the case.
Phishing attacks and human error are two things that will only go up unless steps are put in place to prevent them from turning into breaches. Organizations can and should be taking time to make sure staff members can recognize risk and the best way is through cybersecurity awareness training. However, training doesn’t just have to be delivered through a bland Powerpoint presentation or company video anymore.
Crisis sims are playing a key role in building workforce resilience. These exercises challenge teams to make critical decisions when dealing with emerging incidents, such as ransomware outbreaks, insider threats, data breaches, and phishing attacks. Placing your workforce in reactive situations helps to build muscle memory. Cybersecurity needs to be considered similar to any health and safety issue, you wouldn’t expect your workforce to know what to do in the event of a fire without practicing the drill.
Robust cybersecurity strategies are built on technology, process and people. To reduce the risk these three areas need to be working together. There is little point in implementing the best technologies if you have the wrong processes in place, and your people don’t understand what they should be doing in a crisis, and vice versa.
It’s vital that in today’s AI driven digital age organizations invest just as heavily in people as they do in technologies. It’s often staff that are the first area of attack for criminals, as such they need to be the first line of defense for organizations.
