From burnout to breach: How employee wellbeing impacts cybersecurity

Alarmingly, a quarter of cybersecurity leaders are predicted to leave their role due to workplace stress, and half are thinking of switching jobs anyway. Another important figure, commonly cited by cyber experts, comes from IBM. IBM reports that 95% of all cyber breaches result from human error, emphasizing the importance of addressing the human factor in cyber security. Poor employee wellbeing or bad working environments create vulnerabilities that can lead to a higher risk of cyber-attacks.

Wellbeing is a major concern for cybersecurity leaders

There are multiple relationships between cybersecurity and wellbeing:

1) Talent acquisition and retention

With the high demand for cybersecurity expertise, the working environment could be the deciding factor in whether talent stays or goes. A workplace that shows its commitment to employee wellbeing will also draw in more candidates.

2) Poor work culture and social engineering

Anxiety and stress can impair judgment, leading to poor decision-making and an increased chance of falling for social engineering tactics. A poor work culture can create behaviours that are counterproductive to security training, for example employees in a rigid hierarchical structure may feel pressure to conform to the expectations of their superiors, making them less likely to question suspicious requests or report security incidents.

Imagine a scenario where an employee who is under constant pressure or being micro-managed, receives a company branded email with their manager’s signature at the bottom. The employee is under pressure, so they hurry to respond and fail to see the clear signs of a phishing attack; a misspelt email domain and external flag. The employee clicks on the link as per the email from their ‘manager’ and the phishing attack succeeds. These situations could be avoided by a healthier work culture.

3) Rushed projects and bypassing security guidance

Rushed, fatigued, or overworked employees may not have the time or resources to prioritise security measures in their work. Developers may bypass security considerations if rushed, and fatigue leads to accidents and errors, such as misconfigurations or insecure code. Misconfigurations and errors in code can leave vulnerabilities to be exploited by attackers.

In fact, 69% of employees have ignored their organisation’s cybersecurity guidance in the last year. In that survey, 74% of people say they would be willing to ignore cybersecurity guidance if it meant they or their team could reach a business goal. If project planning includes breathing room, space security considerations and for mistakes to be made and fixed, then it takes into consideration the wellbeing of the employees as well as the security of the project.

4) Appreciation in the workplace and insider threat

Unhappy or disgruntled employees also pose a severe threat to cyber security. A report by Accenture found 43% of cyber-attacks are motivated by malicious insiders (not necessarily cyber-attacks leading to large consequences or losses, but overall incidents such as minor data leaks). This includes employees who have access to sensitive information and use it for their own benefit or to harm the organisation. Poor employee morale can lead to a lack of commitment to protecting the company's assets, making it easier for insider threats to occur.

Thus, employee wellbeing generally has a massive impact on the rate of data loss. According to a study by Ponemon Institute, 60% of employees who leave an organisation take sensitive data with them. This data loss can occur due to various reasons, such as a lack of loyalty, a sense of injustice, or an unfulfilling work environment. For example, Morgan Stanley reported an employee had stolen client data and posted it online although the employee denied this. This data breach cost the company an estimated $1.5 million in legal and remediation fees.

5) Overdoing security measures and missing real incidents

Security operations centres (SOCs) monitor activity in your systems for signs of an attack or any other security incidents. The SOC teams sometimes are inundated with numerous alerts, many of which can be red herrings, raising concerns that they might overlook genuine threats amidst the noise. It is crucial to ensure triggers are configured properly to prioritize alerts effectively, thereby reducing stress on manpower and enhancing the SOC team's ability to focus on genuine threats. This is yet another case where lacking in just one measure could lead to both a wellbeing and security risk.

The Link Summarised

Employee wellbeing can pose a serious cybersecurity vulnerability if it’s not addressed as the first step in building resilience. Exploring how employee wellbeing can play a part in secure code and configurations, resilience to social engineering, and the prevention of deliberate or accidental data leakage only touches the surface of the significance of wellbeing to cyber security. So how can we improve our resilience to these risks?

Managing cyber and wellbeing risks

Poor wellbeing can be caused by organisation wide problems, but it may also relate to the culture and working practice within individual teams. To reduce the likelihood of cyber risks occurring because of poor wellbeing we suggest making some simple changes:

Cybersecurity controls

• Create a positive work culture around security. If individuals feel they are being bombarded with alerts, given unrealistic deadlines and chased for progress it can lead to negative perceptions of the cybersecurity systems and processes.
• Acknowledge successful identification of phishing simulations.
• Aim for transparent and open communication by building trust between employees and management, so security directions are trusted and the team are open about any vulnerabilities they spot. Proportionate responses to cyberthreats will help foster good relations between experts and users. 
• Aim for a culture of continuous improvement instead of direct competition.
• Implement automation where it can reduce the chances of human error e.g. in incident detection.
• Reduce data leakage with better Data Loss Prevention (DLP), tools and email and attachment blocking.
• Enforce a thorough leavers process to reduce data leakage.
• Stricter access controls to reduce chance of accidental data integrity loss or deliberate data confidentiality loss.
• Provide regular and varied training to improve retention and reduce the potential for human error.

Wellbeing controls

• Cultivate a culture of transparency, encourage leadership to be open with reasons behind decisions.
• Develop a method for assessing psychosocial risks that enables improvement to the factors that most impact worker mental health from work organisation, social interaction, work tasks, equipment and environment.
• Ask employees’ opinions and monitor how they are feeling. Are they overloaded, should more staff be hired, or projects slowed down, are they in information overload?
• Consider project risks that could result in poor wellbeing/stress/fatigue (not enough people working on product, too short deadlines, not enough communication).
• Show employees they are valued and you see current social trends that could be affecting them e.g. offer financial advice, gym memberships, social events. Train managers and workers to identify, assess and manage risks to mental health and wellbeing.

Addressing wellbeing and cyber risk exposures

Cyber risks can be affected by the wellbeing of cybersecurity experts and the culture within the team. Employees are the frontline of cybersecurity and their ability or willingness to implement cyber controls can also be affected by their wellbeing. If wellbeing isn’t a consideration when you design your cybersecurity frameworks and processes it should be.

Improving wellbeing supports people to be more effective in their work. We shouldn’t forget the importance of the human element of cyber control.

WE CAN HELP

For services or advice on either cyber risk or wellbeing risk please do reach out to the authors of this article

• Sheá Panayi – Cyber and AI Risk Consultant – shea.panayi@uk.zurich.com
• Dave Hounsell – Mental Health and Wellbeing Risk Consultant – dave.hounsell@uk.zurich.com

For more general information about ZRS contact us