Why employee mental health is key to your security posture

Written by Andy Robertson on 14/3/2022

Mental health isn’t a topic you immediately associate with cyber security. However, maintaining employee wellbeing is an important defence in protecting your organisation.

Digital transformation

Why employee mental health is key to your security posture

Human error contributed to 85% of security breaches, according to Stanford-backed research. These errors are more likely to be made by employees who are operating under extreme pressure and stress.

For example, if an employee is having to perform multiple tasks at pace, some areas may lack the attention they need, leading to weaknesses in the system. Therefore, cyber attackers will be looking to exploit employees who are working up against it.

While working from home may have created a better work-life balance for some employees. At times it can be a stressful working scenario, especially if other family members are working from home too. Of course, situations like this will be in the hands of employees, but management’s approach can still make a huge difference to the stress levels felt by those working remotely.

To this end, encouraging the following of best practice is key. Managers will need to ensure they’re placing emphasis on employees conducting tasks correctly and safely, rather than hammering home the need for speed.

How do cybercriminals exploit stressed-out employees?

A good security posture comprises of three elements: people, processes, and technology. When the people element disappears, security posture dissipates.

Compromises to business emails are a prime form of attack for cybercriminals looking to exploit security postures that have fallen short. If employees feel like they’re under pressure from senior management, they’re less likely to question odd requests from them. It means that if attackers take control of senior executive email accounts, employees are more likely to succumb to following instructions sent from the account that could compromise their business’ data.

Arguably, if employees were operating in a less stressful environment, they’d feel more comfortable questioning bad actors posing as senior management.

Poor time and project management, or unreasonable deadlines are another common route for cybercriminals to attack businesses. Employees who are under pressure to complete work at speed will inevitably find ways to get tasks completed, often bypassing security considerations.

For example, if an employee has been told to share sensitive data urgently for a high-priority project, they may share through an unsanctioned platform to meet demand. Without the stress of an urgent deadline, staff are more likely to consider the security repercussions of using such a platform and make better choices.

Developers are particularly susceptible to overlooking security. They’re often working with the expectation of delivering functionality and updates quickly, to keep up with the speed of innovation across the market. Understandably it can cause cyber security measures and controls to take a back seat, which is why cyber criminals also seek out vulnerabilities in new developments, not just older systems.

How can the relationship between stress and security be dealt with?

The first step to stamping out the connection between security threats and employee stress is to acknowledge there is a relationship between the two. By making this connection clear to everyone within the business, there becomes a business incentive to increase focus on improving employees’ wellbeing.

Reducing the security threat of employee stress is very much a joint effort. Security teams can build defences that keep employees from being bombarded with threats such as malicious emails, which reduces the pressure of employees to be on the lookout. However, employees must also remain vigilant to potential risks which means providing time for education.

Alongside education, the fear of reporting threats should be eradicated. No one wants to feel like they may be blamed for causing a breach or wasting security team’s time. It’s important that the messaging around employees reporting threats remains positive.

What about those on the front-line of security?

Remember that security teams are not immune to stress and they’ll also face the same challenges of working in an intense environment. Security teams will be investigating thousands of alerts per day, all of which could be a breach.

The sheer volume of alerts is a stress trigger but the pressure is increased significantly when combined with the knowledge that any one of those alerts could be an attack that damages the company’s reputation and makes the business liable to a fine. As with any human, that pressure can lead to mistakes.

Providing tools to assist the security team’s work decreases the issue of stress-induced human error by giving the team some breathing space. For example, some parts of the security process can be automated. Alternatively, some parts of management and monitoring can be outsourced to security specialists.

Ultimately, employees perform best when they have a positive state of mind, are working in a comfortable environment, and have room to think beyond autopilot. By prioritising these elements within the workplace, the repercussions of cybersecurity-related stress can be significantly reduced, and defenses against cyber-attacks increased.

Find out more about Fujitsu’s cybersecurity capabilities

Andy Robertson

Written by

Andy Robertson

Head of Cyber Security at Fujitsu UK&I

Andy joined Fujitsu in 2018 as the Senior Director for Security Professional Services and oversaw a period of growth for Fujitsu’s Security Consulting practice, before stepping up to lead the UK&I Cyber Security business in 2021. Andy’s background is predominantly in consulting and professional services with the likes of PwC, Detica and BAE Systems. He brings a wealth of experience with roles across Consulting, Account Management, Pre-Sales and as well as leading Transformation Programmes.

Top of Page