Employees being the weakest link in every company’s cybersecurity chain is no longer news. But have you ever wondered – why do they behave in such a way that makes them a major target for cyber-crooks? Cyber criminals and various state-sponsored hacking groups target employees (rather than systems) for a reason – it’s a lot easier to be given the keys to the kingdom rather than to forge the keys themselves. So, they engage in various phishing attacks, Business Email Compromise (BEC) attacks, social engineering attacks, and whatnot.
They’re quite successful, too. Cybercrime has never been as widespread and devastating as it is today. Just one type of cybercrime – ransomware – had cost businesses north of $20bn last year, and it’s only getting warmed up. And while I’m at the topic of statistics, here’s a tiny stat for you, for which you don’t need large polls or official confirmation: No employees (save for a handful of malicious, disgruntled insiders) engage in risky cyber-behavior on purpose, nor would they want to be the ones blamed for an incident that took hundreds of thousands of dollars to remedy.
Still, they often fail to meet even the simplest cybersecurity requirements. So, what’s up with that?
Cognitive bias as a root cause of breaches
Cognitive biases are up with that. There are certain cognitive biases that affect people’s behavior in the workplace and lead to cyber-risks.
That’s the bad news.
The good news is that you can do something about it. It’s not really that difficult and it will significantly reduce the chance of your company being at the center of an infamous headline. So, let’s delve into what cognitive biases are, how they affect employee cyber-behavior, and more importantly, what you can do about it.
Cognitive what now?
Experts describe cognitive biases as “unconscious and systematic errors in thinking”, often coming as a result of the brain’s effort to simplify complex problems we’re surrounded with. There are many cognitive biases that affect how we engage on a daily basis, including confirmation bias, hindsight bias, self-serving bias, anchoring, availability bias, and many, many others. They affect how people make everyday calls and, as such, are a major factor to the safety of both employees and the entire business. They’re mostly unconscious, but there are things you can do to steer people into a new way of thinking and minimize the potential damage. Now let me share with you the three most common cognitive biases affecting people’s decision-making in the workplace and what you can do to keep them in check:
The first one on today’s list, “optimism bias”, is also known as “unrealistic optimism” or “comparative optimism”, it’s the unsubstantiated notion that bad things only happen to someone else. In the context of cybersecurity, optimism bias manifests itself through employees choosing weak and easy-to-crack passwords, thinking no one will want to hack them. For the same reason, people will also share passwords with friends and family, reuse the same passwords across multiple services, use the same devices for private and business affairs, share those devices with other members of the household, as well as a myriad of other practices.
So, how do you handle it?
Most of the time, changing employee behavior starts with raising awareness of the problem, and educating employees about the dangers of certain behaviors. When it comes to optimism bias, you can educate your employees that everyone’s a potential target, not just large enterprises or government agencies. To support that, you can show them real-life examples of people being targeted, regardless of company size, revenue or earnings, or their position within the company.
But besides education, you should also get back to basics and enforce a tough(er) password policy:
- Make sure passwords have at least eight characters, including capital letters, numbers, and symbols
- Make sure the passwords are unique – no using the same password across multiple services (passwords can’t differ only by the last character)!
- Make sure the passwords are regularly updated (every three months is a good place to start)
- Make sure the employees use a password manager (LastPass is a good choice, but there are many others, pick what works best for you)
- Make sure to use multi-factor authentication (MFA) such as Google Authenticator or Google Titan. Phone numbers can also be used for MFA, but with SIM-swapping being a thing, I wouldn’t recommend it.
The next in line is the:
The ambiguity effect revolves around playing it safe and conserving energy. If a person is met with two choices, they will rather choose the one in which the consequence is known, over the one that’s ambiguous. By doing that, people often increase the risk of cyberattacks. You’re probably asking how? I will give you an example:
By refraining from patching their operating systems, apps, and programs, which is particularly true when they use personal devices for work. Fearing the update might “break” their devices and apps, employees will often ignore installing critical updates for their cybersecurity programs and operating systems. As such, this behavior opens the doors for criminals to easily exploit known bugs and vulnerabilities.
And how do you handle this one?
Similarly, to tackling the optimism bias, leaders should explain the benefits of performing certain actions versus the potential outcome of keeping the status quo. If the ambiguity bias revolves around one of the options being unclear, remove all doubt. Make sure to display relevant recommendations to each request in a natural language.
And last (but far from least):
The Dunning-Kruger Effect
The internet’s sweetheart, the Dunning-Kruger effect is a cognitive bias stating that incompetent people often overestimate their ability, while highly competent people do the exact opposite. You can see why the internet loves to play around with this one. In the cybersecurity world, it for example translates to some people overestimating their ability to spot a phishing attack or a shady link in an email attachment. They believe they’re above it, that they’d be able to swiftly and easily spot a virus in an email or an attempted telephone fraud.
One last time, how do you handle it?
You’d need a sort of a wakeup call, a reality check. You need to show just how advanced and sophisticated cyberattacks can be, and the best way to do that is through phishing simulations. Through these simulations, which would be run against unsuspecting employees, businesses can prove that everyone can be lured and that all it takes is a moment of carelessness, a few tight deadlines, and a little fatigue to drop your guard. After running these simulations, business leaders can present real-world phishing, ransomware, and other social engineering incidents to prove that no one is cyber-proof.
Being a step ahead of the criminals…
is crucial. Because you can be absolutely certain- the enemy never sleeps. Cybercriminals are always hard at work, upping their game, growing more sophisticated and more dangerous by the minute. And so, to ensure the security of the business, you always need to be one step ahead, constantly upgrading and evolving your cybersecurity practices. The first way to do this is to be aware of the pitfalls that lead your team to make wrong everyday decisions. It’s human nature. As simple as that. It’s crucial to bear in mind the behavioral science when preparing your cybersecurity protection plans, as opposed to traditional solutions that don’t and, as such, can’t effectively influence employee cyber-behavior. By understanding patterns in behavior, you’ll be able to protect your business at a subconscious level – before any threats can even arise. And with employees remaining at the front lines of that battle, I’m pretty sure there is no other way, anyway.