Why hybrid work leads to cybersecurity failures

Many people are returning to the office for the first time in years or switching to a hybrid work schedule. With this shift comes new distractions and disruptions: employees must navigate a new work environment or constantly switch between locations while navigating both video and face-to-face meetings. Leaders need to consider the impact on employee wellbeing and therefore their cybersecurity behavior.

In a new report by email security firm Tessian, nearly half of employees cited distraction and fatigue as the top reasons they made a cybersecurity mistake, up from 34% in 2020. These mistakes are not uncommon — a quarter of employees fell for phishing -Emailed in at work in the last year, while two-fifths sent an email to the wrong person – and could result in costly data breaches, the loss of a customer and possible fines. In fact, nearly a third of businesses lost customers after an email was sent to the wrong person. The stakes are high for employees, too: one in four who made a cybersecurity error at work lost their job.

In a hybrid work environment, cybercriminals use advanced techniques to impersonate colleagues and manipulate our behavior. To outsmart them, companies need to understand how stress, distraction, and psychological factors lead people to fall for these scams.

Why Hybrid Work and Zoom Fatigue Lead to Errors

After two years of remote work, people had to get used to using new technologies like video conferencing on a daily basis. As offices reopen, employees are constantly shifting context, distracted from both the physical office and the virtual, always-on communications that come with remote work. It’s mentally exhausting. This distraction and fatigue causes people’s cognitive load to become overwhelming, and then mistakes happen.

For example, a recent study by Jeff and his team at Stanford shows how fatigue in virtual meetings leads to cognitive overload. In face-to-face interactions, we naturally communicate non-verbally and unconsciously interpret these cues. But over video, our brains have to work a lot harder to send and receive signals. There’s also the added mental strain of seeing ourselves in front of the camera all day, which can add extra stress. When our cognitive load is overwhelmed, it’s much harder to focus, meaning tasks like spotting a phishing scam or double-checking to make sure you’re sending a file to the right email recipient can be overlooked .

This is where mistakes happen that can jeopardize cyber security. Scammers know this, too, and are more likely to send phishing emails later in the workday, when a person’s vigilance is likely to have dropped.

Simple fixes can impact employee well-being and help alleviate the fatigue and distraction that lead to errors. Encourage people to take regular breaks between virtual meetings and stay away from screens throughout the day. Introducing special “no meeting days” during the work week and optionally providing video for meetings that don’t require it can also make a positive difference. Organizations can also take a data-driven approach, measuring how tired a particular team or employee is and offering targeted support. The Stanford Zoom Fatigue and Fatigue Scale (ZEF). [survey required] is a useful measurement tool.

How cybercriminals use psychology to manipulate employees

Cyber ​​criminals have developed techniques to manipulate human behavior. One example uses social proof, the phenomenon that people conform to the behavior of others in order to be accepted. Social proof is one of the core principles of influence and becomes even stronger when authority is asserted. Cyber ​​criminals know that most people bow to authority, which is why identity fraud is so effective. Combine authority with a sense of urgency and you have a very compelling and compelling message. In fact, Tessian found that in 2022 more than half of employees fell for a phishing scam impersonating an executive.

Another psychological concept attackers use is our “known” network. We tend to trust people on our networks more than complete strangers. That is why cyber criminals are now using SMS text messaging and chat platforms to send malicious messages. Until recently, only someone we knew could write to us, making it a fairly reliable and trustworthy communication channel. But now that many people are giving away their phone numbers when shopping online and phone numbers have been leaked in privacy breaches, that is no longer the case. Text messaging has become just as risky as email, with SMS text fraud, or “smishing,” costing Americans more than $50 million in 2020.

Regardless of the platform — SMS text, email, or social media — look out for messages with unusual requests and those that convey a sense of urgency. Attackers often use stressful and time-sensitive issues like missed payments or strict deadlines to make people react quickly. Knowing what signs to look for makes it easier to trust your suspicions when something doesn’t feel right. From there, you can verbally confirm a request with a colleague or call a financial institution directly before clicking a link.

Knowledge is power

Let’s be clear: the goal here is not to increase anxiety, stress, or guilt about cybersecurity in the workplace. It’s human nature to make mistakes, but hybrid work environments could make people more likely to make mistakes.

Only by understanding how factors like stress, distraction, and fatigue affect people’s behavior, and by understanding how cybercriminals manipulate human psychology, can organizations find ways to empower employees and ensure mistakes don’t lead to serious security incidents will.

Greater knowledge and contextual awareness of threats can help overcome the impulsive decision-making that occurs when stress levels are high and cognitive load is overwhelmed, giving people a moment to think twice. When the right steps are taken, employers can better avoid the high risks of a cybersecurity threat and workers can do their jobs effectively and safely.

Tim Sadler is CEO of Tessian and Jeff Hancock is the Harry and Norman Chandler Professor of Communication at Stanford University.