How Workplace Culture Creates Cybersecurity Failures
Here’s an interesting thought experiment.
When you are in your office and receive an email from your boss, how long will it take before a follow-up email or phone call will occur if you don’t respond?
If the answer to that question is a short time period, like say 10 minutes, you might actually be at an increased risk of being a victim of phishing. The reason for that is that the culture is training all of us to continually think fast, make quick decisions and take quick actions. Time is money, after all. But, according to psychology, this may be exactly the training that hackers target.
Phishing emails use emotional tactics to get us to bypass logic—and click the link. To explain why phishing works, Oliveira turns to Nobel Prize-winning psychologist and economist Daniel Kahneman’s model of two systems of thinking. System 1 is fast, intuitive, and emotional — “ like when you come to a doctor’s appointment and you decide where to sit,” she says. System 2, on the other hand, is slow and deliberate. Because we have to make thousands of decisions per minute, we need System 1, which depends on mental shortcuts to help us move through life efficiently. For instance, we have a truth bias, a belief that others are more likely to tell the truth than to lie; to assume otherwise would be exhausting. But biases like this can also leave us open to unwise decisions, by, say, making us predisposed to assume that an email which says it’s from our bank updating our password is really from our bank.
So, our cybersecurity training tells us to slow down, evaluate the contents of emails that we receive, and verify the information when it’s not expected. But our culture, especially in the legal field, would be the opposite of that. When you get an email asking you to do something, you do it, now.
Maybe, if the expectations allowed for a little bit slower, more careful, thinking, we could get somewhere in the fight against phishing and ransomware.
Clearly, our fast thinking isn’t working. So you have to ask yourself, which is more important, getting the quickest possible response, or keeping your data safe?
