Last summer, Colonial Pipeline paid a ransom of almost $5 million after a cyberattack created widespread panic over the availability of gasoline in the southeastern United States Weeks later, the world’s largest meat processor agreed to pay a $11 million ransom in response to a cyberattack that suspended operations at factories in the United States, Canada and Australia. Attacks like these have been increasingly common for years, and the Covid-19 pandemic has only made matters worse, with the FBI reporting a 400% increase in cyberattacks during the first months of the pandemic.
In response, investment in cybersecurity soared – but unfortunately, these efforts have not always addressed the underlying factors that create vulnerabilities. As computer scientists strive to create better, smarter, and more secure technical systems, there’s a risk they can’t program: humans. Especially as remote working becomes more prevalent and access to secure systems becomes more distributed, one wrong click from an employee can often be enough to threaten an entire digital ecosystem.
Additionally, as some organizations have begun to complement technology-focused efforts with cybersecurity initiatives targeting employees as potential attack vectors, these programs generally assume that employees violate security protocols through ignorance or malicious intent. Our recent search, however, suggests that most of the time, non-compliances may actually be the result of intentional but not malicious violations, largely driven by employee stress.
Many policy violations are motivated by stress, not a desire to harm
We asked over 330 remote employees from a wide range of industries to report on both their daily stress levels and their compliance with cybersecurity policies over the course of two weeks. Additionally, we conducted a series of in-depth interviews with 36 professionals forced to work remotely due to the Covid-19 pandemic to better understand the impact of the transition to working from home on cybersecurity.
We found that in our sample, adherence to security conventions was intermittent. Over the 10 workdays we studied, 67% of participants said they failed to fully comply with cybersecurity policies at least once, with an average non-compliance rate of once in 20 tasks.
But what led to these breaches of protocol? When asked why they didn’t follow security policies, our participants’ top three responses were “to do my job tasks better”, “to get something I needed” and ” to help others do their job. These three responses account for 85% of cases where employees have knowingly broken the rules. In contrast, employees reported a malicious desire to cause harm in only 3% of policy violations, making violations non-malicious (i.e., those motivated solely by the need to get the job done) 28 times more frequent than retaliation.
We also found that people were much more likely to consciously break safety protocols on days when they reported feeling more stressed, suggesting that being more stressed reduced their tolerance for following rules that bothered them in the workplace. exercise of their functions. Common sources of stress included family demands conflicting with work, job security fears and, ironically, cybersecurity policy requirements themselves: people were more likely to violate procedures when they worried that following them would hinder productivity, take up more time or energy, mean doing their job in a different way, or make them feel like they’re constantly being watched.
Of course, because our data was self-reported, we were unable to measure violations that employees were unaware of having committed. Thus, our research is less conclusive regarding the prevalence of security issues due to ignorance or human error. But our results suggest that despite media focus on the “insider threatasked by malicious employees, there are many well-meaning reasons why an employee might knowingly not fully comply with the rules. On this basis, we have developed three key points for managers:
There’s a middle ground between ignorance and wickedness
Many leaders assume that employee security breaches are malicious or unintentional, and then design security policies based on that assumption. However, our research shows that there is a middle ground between ignorance and malice, so managers would be wise to adapt their training programs and policies accordingly.
Specifically, rather than focusing on malicious attacks, security policies need to recognize that many employee-led breaches result from an attempt to balance security and productivity. This means educating employees and managers about the prevalence of non-malicious breaches and providing clear guidance on what to do if following security practices appears to conflict with getting the job done.
Additionally, organizations must take steps to involve employees in the process of developing and testing security policies, and equip teams with the tools they will need to follow those policies. Too often, IT departments develop protocols in a vacuum, with limited understanding of how those rules can interfere with people’s workflows or create new sources of stress. Especially since the shift to remote working has transformed the number of people working, IT managers must be sure to involve employees who will be affected by new security measures in their creation, evaluation and implementation. implemented.
Job design and cybersecurity are closely linked
It is common to think that safety is secondary to productivity. In normal times, this isn’t necessarily a problem, as employees are likely to have the resources to devote enough energy to both. But as the myriad stresses of the pandemic make it harder to maintain productivity, it means safety tends to take a back seat to the critical tasks that drive performance reviews, promotions and bonuses.
To address this problem, managers need to recognize that job design and cybersecurity are fundamentally linked. The reality is that adhering to cybersecurity policies can increase employee workloads, and so it should be considered and encouraged alongside other performance metrics when workloads are determined.
Additionally, managers should work to identify and reduce sources of stress for their teams, as working under more stressful conditions can impact employee consistency in adhering to safety protocols (not to mention their well-being and their effectiveness on a multitude of other parameters). In particular, especially as remote working becomes more common, managers need to be aware of the psychological burden on employees of working under systems that monitor them. Surveillance systems that seemed reasonable in the office might seem intrusive at home – and while there are no obvious direct fallouts, our research suggests that the added stress could indirectly make people more likely to break safety protocols.
Hackers profit from altruism
Most managers would say that’s a good thing if their employees want to help each other. But unfortunately, altruism can come at a cost: in our study, about 18% of policy violations were motivated by a desire to help a colleague. The pandemic has only increased the challenges we all face every day and therefore created even more opportunities for well-meaning employees to “help” their peers in ways that leave their organization vulnerable. Hackers know this, and they will often intentionally use social engineering tactics that take advantage of employees’ willingness to bend the rules if they think they’re helping someone.
To address this problem, managers must not only implement security policies specifically designed to protect against these types of attacks, but they must also work to reduce the impact of these measures on the workflows of the employees and clearly explain their purpose, in order to increase employee compliance.
For example, as the shift to remote working has reduced in-person communication, Business Email Compromise (BEC) Scams have become even more prevalent. These are scams in which an attacker impersonates a supervisor or close colleague and emails employees an urgent request to transfer funds. Time pressure and the desire to help a colleague can cause employees to break protocol and make these transfers without properly verifying requests. Protecting your organization against these types of attacks means not only implementing a verification policy for important transactions, but also educating employees on the importance of the policy and minimizing the extent to which it interferes with day-to-day work.
. . .
In the modern cybersecurity landscape, every employee is a potential threat vector. To keep their organizations secure, technical and business leaders need to understand the factors that can make anyone susceptible to flouting policy and opening the door to attackers. While the idea of a resentful employee deliberately trying to harm their business can make for a compelling story, our research highlights the major role of employee stress in motivating non-malicious (but potentially catastrophic) security breaches. To address the growing risk of cyberattacks – as well as the myriad other risks associated with an increasingly stressed workforce – leaders must undertake targeted efforts to minimize the root causes of workplace stress and design burdens healthier and more sustainable working conditions for employees at all times. level.
This work was supported by National Science Foundation RAPID Award #2030845, Division of Social and Economic Sciences. The opinions expressed here are those of the authors and do not reflect those of the National Science Foundation.