Perry Carpenter is chief evangelist for KnowBe4 Inc.provider of the popular Security Awareness Training & Simulated Phishing platform.
While the mindfulness movement has become quite popular in recent years, it’s actually a term with “exotic origins” in the 1800s, according to the New York Times. It’s essentially the idea we can experience by slowing down and being hyper-attentive to our surroundings physical and mental benefits.
What does that have to do with cybersecurity? More than you probably realize.
For example, consider the spread of phishing attacks, which are attempts by cyber criminals to trick you into clicking dangerous links. Even the most security conscious among us can fall prey to these attacks. Why? I think the answer is that we multitask and get distracted.
In short, we are not observant.
Distraction was a prominent cause of cybersecurity breaches during the pandemic a study (download required) indicating that employees tend to make mistakes that impact cybersecurity when they are tired or distracted.
Employees don’t have to work from home to be distracted. Wherever they are, they can be distracted. That’s why it pays to help them develop cybersecurity mindfulness.
From my perspective, there are three factors that can contribute to the opposite of mindfulness.
• Attempting to do several things at once.
• Participate in making heuristic assumptions that do not always lead to the right decision.
• Being sensitive to emotions that cybercriminals exploit.
Let’s look at each of these in a little more detail to see how they can contribute to vulnerability to cybersecurity attacks.
The myth of multitasking
Most of us think that multitasking is a good thing, that it helps us be more productive. But it is actually possible have the opposite effect. Multitasking causes us to lose focus as our mind shifts from thing to thing. Any shift results in the loss of cognitive attention. Every time we make a shift, we lose energy and focus. We become more vulnerable. This is something cyber attackers know well.
The risk of mental shortcuts
Our brains are made to be efficient and can help us make many decisions quickly and without much thought. For example, if you’re crossing the road and you see a car approaching, you don’t want to take time to analyze the situation; you just want to act. And that’s a good thing. But mental shortcuts aren’t always helpful. In fact, from a cybersecurity point of view, I believe they can be risky.
Suppose an employee receives an email and the URL is slightly misspelled. In that situation, a mental shortcut can surface, and the employee’s brain can automatically ‘fix’ it so that it sees what it wants or expects to see – rather than the spelling errors – so that the employee clicks on the fake link without thinking.
From my perspective, the more emails we receive in a day and the more distractions we have around us, the more likely we are to fall prey to the negative side of mental shortcuts.
The impact of emotional triggers
The amygdala is an almond-shaped part of the brain that plays a role when our emotions are triggered. When we are a little scared, our amygdala is activated and a fight-or-flight response will occur. That fight-or-flight response can hijack our executive functioning and making sure we do things we wouldn’t normally do.
All three of these things — multitasking, mental shortcuts, and emotional triggers — can leave us vulnerable to cybersecurity threats. From my perspective, we have to be hyper-aware to avoid them. We must be attentive.
Helping employees become mindful to thwart cybersecurity risks
Mindfulness can help address human errors and concentration. Back in 2017, researchers found that mindfulness training techniques were more effective than traditional training techniques when it came to phishing susceptibility.
From a cybersecurity perspective, that means if we can bring more mindfulness techniques into our training and help people be more present, they’re less likely to click on the bad stuff. So how can we do that?
Here are some ideas.
• Share information with employees about why multitasking isn’t always the most effective, and share research. Make it clear that by focusing on doing one thing at a time, they can be more productive, effective and less susceptible to cybersecurity risks.
• Teach employees to be attuned to and listen to the signals their bodies give them. Teach them to listen for the warning signs, including potentially positive ones (for example, if they see a pop-up offer that just seems too good to be true – which it is). Teach them to understand when they are triggered, to slow down and to think before acting.
• Teach them to slow down and refocus. One way to do this is practice four square or “box” breathing. This means you inhale for a count of four, hold your breath for a count of four, exhale for a count of four, and hold your breath again for a count of four – a total of 16 seconds. It’s simple, but it’s a technique you and your team can learn to use.
• Teach them to use energetic movements to become more attentive. Some physical activity can help you concentrate and make you more focused.
Social engineers target our human weaknesses – and they are good at it. But if we can learn to practice mindfulness and become more aware of our surroundings and our body’s reactions to those stimulants, we can be less vulnerable.