Want to Limit Phishing Attacks? Help Out Your Co-Workers

Cyber-attacks don’t happen in a vacuum. A recent study shows the best way to combat a phishing scheme involves addressing employee stress. It’s well established that when it comes to cybersecurity, a lot of an organization’s vulnerabilities can be found in its employees. Whether it’s because they haven’t been trained to identify threats or they just weren’t paying attention, employee error accounts for an overwhelming 88% of breaches. A recent psychological study did a deeper dive into just why this is so common, and found that stress is a major factor. The study, carried out at the U.S. Department of Energy’s Pacific Northwest National Laboratory, found that employees who reported a high level of work-related stress were far more likely to fall for a simulated phishing email. Employees were asked to self-report their levels of distress – specifically feeling tension when they’re in a difficult situation and unable to effectively deal with their workloads. Researchers learned that every one-point increase in self-reported distress raised the likelihood of responding to a simulated phishing attempt by 15%. Among the most effective phishing links employees clicked:

• “This policy will go into effect three days from the receipt of this notice…acknowledge the changes immediately” (49%)
• “…comply with this change in dress code or you may be subject to disciplinary action” (47%), and
• “Per the Office of General Counsel…” (38%)

The key to reducing these risks, the researchers suggested, is to help employees recognize when they’re feeling most stressed, so they can become more aware and cautious during periods of vulnerability. Machine alerts may be helpful, akin to those in cars that sense driver fatigue and recommend a break. But a simpler strategy may be for team leaders to regularly check in on staffer welfare, before stress or weariness results in a costly breach.