How a few deep breaths could avert a phishing attack
Simple mindfulness and a few deep breaths could be enough to prevent users from falling prey to a phishing attack.
This is according to Anna Collard, SVP of content strategy and evangelist at KnowBe4 Africa, who was speaking at ITWeb Security Summit 2023, being hosted in Sandton this week.
Collard said more than half of people who fell victim to phishing said they had been multi-tasking or under stress at the time.
In a recent KnowBe4 / ITWeb Cyber Stress & Cyber Wellness survey 47% of survey respondents said they were under ‘high’ or ‘very high’ levels of stress, and 37% attributed security mistakes to distraction, multi-tasking and cognitive overload. Survey respondents believed security culture could be improved through more security training (71%), in-the-moment training (53%), and offering people mindfulness tools and training to be less distracted (49%).
Collard explained that when people are multi-tasking, their cognitive overload puts them at risk of overlooking key warning signs in phishing mails. When their brains go into 'heuristic System 1 thinking mode' (a term used by psychologist Daniel Kahneman), in which they make broad observations and quick decisions, they are also ill equipped to assess the validity of an e-mail.
The myth of multi-tasking
“The myth of multi-tasking is that we confuse activity with productivity. But multi-tasking is not productive, and it is in fact an addictive behaviour – we get a dopamine hit every time we tick things off our to-do list. But like all addictive behaviours, it contributes to anxiety and stress. If we can teach people one thing to make them happier and more secure and productive, it’s to slow down and stop trying to multi-task,” she said.
Another human vulnerability is emotional responses to e-mails, she said: “Our amygdala gets fired whenever you have an emotion, and this hijacks our executive function. That’s why social engineers exploit emotions.”
If we equip people with tools to make them more mindful in the moment, they are less likely to be manipulated.Anna Collard, KnowBe4.
Collard outlined how mindfulness could help users to be more vigilant and make fewer security errors.
“Cyber security training and awareness programmes don’t automatically result in more secure behaviour. But if we equip people with tools to make them more mindful in the moment, they are less likely to be manipulated,” she said.
She said mindfulness was becoming a mainstream focus in the corporate world, with proven benefits in reducing stress and improving productivity. Applied to cyber security training and awareness, it could significantly reduce risk, she said. Among the mindfulness techniques she recommended are breathing exercises, movement, and focusing on sensory experiences.
Collard said: “For example, if you realise a message you’ve received triggers an emotion, use that emotion as a warning sign. You don’t need to respond immediately. Take a few moments to slow down, take some deep breaths and calm your nervous system.”
Collard is introducing the concept of mindfulness into KnowBe4 programmes, teaching employees to understand why they fall for phishing mails, and how to manage their mental wellness better. KnowBe4 is also piloting the Zensory – a desktop and mobile app designed to help users become calmer and more focused. Informed by research papers and neuroscientists, the Zensory includes breath work, music, binaural beats, naturescapes and touchpads to help users focus and improve cognitive function.
Collard said traditional awareness and training that involved tracking and tricking users was not ideal. “It changes the employee experience when you talk about cyber security in a more positive and empathetic way,” she said.
Cyber mindfulness in practice
Christine Gordon-Bennett, cyber security awareness manager in the Chief Information Security Office of Nedbank, outlined how the bank had adopted mindfulness and the Zensory app as part of its cyber security awareness programmes.
Her department worked with the HR, corporate wellness and cyber security teams in designing the campaign. “HR and corporate wellness were enthusiastic, but at first, cyber security was confused about what wellness had to do with cyber security,” she said.
At first, cyber security was confused about what wellness had to do with cyber security.Christine Gordon-Bennet, Nedbank.
Gordon-Bennet said a phishing campaign staged before the mindfulness campaign had delivered unsatisfactory results. “We asked people why they had failed, and many said they had been stressed, multi-tasking or distracted. Many also noted that the mails had caused an emotional response.
“We launched the cyber mindfulness campaign with a roadshow across the country, and the benefits were apparent immediately. We asked staff how they were feeling, and explained how that resulted in them getting caught by phishing mails. Staff appreciated being spoken to on a personal level, and understand they don’t need to react straight away. Because stress levels are at an all-time high in all businesses, our staff appreciated that we weren’t just talking about risks and threats, but also focusing on how they were feeling. We had an overwhelmingly positive response. We will be testing the success of the campaign soon, and plan to run similar ones in future,” she said.