- CISO Guides
- 13 min read
Because cybersecurity inherently refers to the protection placed on one’s digital data, you can be forgiven for not realising the importance of human psychology in cybersecurity. In fact, human psychology is the very reason that employees keep falling for phishing scams, with fraudsters preying on vulnerable personalities for nefarious reasons.
For a long time, when discussions on cybersecurity happened, the talk was always about hackers and how to prevent them using technical expertise and new hardware/software solutions. The human element of cybersecurity was forgotten about. Now, as we understand the human element in cybersecurity incidents, we can analyse why employees keep falling for phishing scams and some solutions that can help rectify your security culture.
And phishing remains a massive issue in cybersecurity with 22% of employees likely to expose their organisation to a cyber attack via a successful phishing attempt!
HCI merged human and cognitive science with computer science so the digital space and human space could work in tandem with each other. In the modern day, we would refer to this as the user experience and laud companies that make software easier and more intuitive.
However, whilst it became more natural for humans to use computers, the now close connection between computer and human has opened the door for more cybercrime. As HCI improves, cybercriminals are taking advantage of the close knit connection between user and computer. In some cases, interactions are automatic or programmed in to avoid the human element by the user themselves, for ease purposes. A cunning third-party can then manipulate this improved HCI to phish for information and crack accounts.
As user experience (UX) and user interfaces (UI) become more intuitive and our behaviours are conditioned to act a certain way online, an almost Pavlovian conditioning occurs that establishes behaviours in a predictable pattern. More than 333 billion emails are sent or received daily with automated clicking behaviour now common for most users. And with many working or operating under time constraints, automatic established behaviours because of intuitive UI/UX can open cyberattack surfaces for cybercriminals.
By understanding human behaviour and what makes us click quickly, cyberattacks have risen to new levels of success. However, just as less than safe behaviours are learned, they can also be unlearned!
We lose focus and impetus completing laborious manual tasks repeatedly … the same happens with digital tasks. If employees are not taking regular breaks to dissipate brain fog and get some mind rest, they will be making important security behaviours with a lower cognitive capacity than required, which will lead to an increased chance of cyber issues occurring.
In fact, data shows that of the employees that open a phishing email, 53% are likely to click a link found in the copy, with 23% likely to follow through to a spoofed login page and a further 7% downloading email attachments. Many of these actions occur because of built-in digital behaviours but also because cyber fatigue leads to employees not double-checking sources and attachments, opting for the quicker solution of just clicking through.
Phishers using social engineering tactics during a crisis is nothing new and this will not be the last case of opportunistic cyberattacks. Every time we see a crisis, we see cybercriminals blast out phishing emails, hoping to catch out employees who are not aware of how to deal with social engineering phishing attacks.
This cybersecurity awareness training and learning needs to be consistent. Dr Mona Rashirad, Lecturer in Strategy at the University of Sussex Business School, says: “To prevent phishing attacks, a well-designed continuous security training and educational programme, incorporating phishing simulation exercises and embedded training for vulnerable employees, needs to be established and enforced in organisations.”
Opening malicious phishing emails on your phone can also compromise your home network and any devices connected to that central network. This is a quite common way for cybercriminals and phishers to enter an organisation and a method that is increasing in occurrence post-pandemic.
In 2022, you simply cannot afford to have gaps in your cyber security strategy. There are numerous pillars to cybersecurity, but phishing security is one of the most important. Firewalls and other technological solutions are important, but if you do not apply the same focus to your employees, you will find many vulnerabilities in your cybersecurity.
A cybersecurity strategy that includes technical safeguards and employee security awareness and training will provide the best opportunity to lower attack success rates and minimise the impact that cybercrime can have on your organisation.
TSC has been aiding organisations across a variety of sectors for over 20 years on phishing schemes. We can provide engaging and gamified eLearning courses that will teach secure behaviours to your employees in a manner that maximises retention. We can also keep this messaging consistent within your organisation with a library of free and bespoke resources available to show how to spot phishing attempts and how best to report such cyberattacks.
If you would like more information about how The Security Company can help deliver security awareness training for remote workers or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact Jenny Mandley.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51