Workplace Mental Health Crisis is Increasing Cybersecurity Threats
Mental health at work is undergoing a rapid transformation. Even before the COVID-19 pandemic, which has caused an increase in feelings of loneliness and isolation, workers’ mental health was under pressure.
According to a recent workforce health survey, 40% of workers experienced mental health issues this past year, double the year before. We are in the midst of a workplace mental health crisis that’s affecting individual employees and entire companies.
While it’s obvious people are not getting the mental health care they need and deserve, and we must do better as a nation, there is an overlooked aspect of this crisis affecting businesses.
The vulnerabilities and challenges associated with declining worker mental health is causing cybersecurity risks to increase, especially from insider threats.
Mental health cyber risks
Many organizations categorize employee mental health and a human resources concern, yet mounting evidence proves that the effects of mental health go much deeper. Declining workplace mental health is affecting cybersecurity in various ways. When an employee is struggling, they may reach a tipping point and become an insider threat. According to Verizon, 22 percent of all security incidents involve insiders.
A common belief is that insider threats are all done by nefarious individuals, yet many occur unintentionally from loyal employees who can make an innocent mistake if they are distracted especially as a result of mental health issues. Any mental health issue can derail an individual’s focus and limit sound decision-making.
An employee could forget security protocol and download and adopt an unauthorized SaaS platform. These platforms could lack vital security protection needed to keep internal corporate information safe and secure, leaving internal data vulnerable.
Another example that has become more prominent in a remote work-from-home world is an individual forgetting to use the company VPN or logging into unsecured WIFI. Both can unintentionally expose critical data and leave a company vulnerable to an outside threat.
Socially engineered incidents have also been on the rise. Almost all of us have seen phishing emails in our inbox at some point. Phishers pose as trusted organizations to try to get you to click on malicious links and divulge private information.
Most we have received in the past look terribly fake, yet these organizations are becoming more sophisticated as our public data becomes more accessible. These advancements coupled with an employee struggling mentally could result in an accidental click or worse.
Along with the unintentional insider threats that are affected by mental health, purposeful threats are also on the rise due to the decline in employee health. These threats can come in numerous forms, from downloading and sharing confidential information to providing cybercriminals with knowledge on how to access a system or where to find sensitive data. When aided by an insider, an outside attack often goes unnoticed for an extended period of time causing significant damage and monetary losses.
Anytime a system is vulnerable, it becomes an opportunity for cybercriminals and other bad actors to infiltrate the system causing a cybersecurity nightmare.
Steeper leadership challenges
Several years ago when we, at Shasta Ventures, doubled down on investing in cybersecurity, I realized that to truly understand the problem and the industry trends, I needed to talk regularly to the people who keep the top companies secure. We created a group of around 50 CISOs at the world’s leading organizations to meetup and discuss the threats enterprise organizations face and the technology that is needed to keep our organizations secure.
A key takeaway is that the increase in cybersecurity threats is now not just a CISO’s responsibility. The entire leadership team needs to deeply understand the risks and vulnerabilities that their team’s actions can cause.
Mental health needs to be monitored and be top of mind by all leaders. As the first line of defense, It’s critical that security leaders understand user behavior and have the tools to spot unusual, suspicious, or policy-breaking activity, which are key to detecting the early indicators of a breach.
Regularly coaching employees on security best practices and cybersecurity habits is a must for the modern organization. Evolving beyond the boring periodical security training to a program that regularly monitors the thoughts and actions of the team and reminds them of the proper protocol. An organization can’t tell an employee the rules during their onboarding and expect them to remember everything five years later without constant updates and reminders.
To protect against growing insider threats, security must extend beyond the investment in external networks and applications. There needs to be more security investment in internal networks, specifically securing the traffic moving from one internal machine to another. Security leaders need to understand the vulnerabilities and build in more east-west intelligence using AI. This will help gauge whether certain employees should be accessing a database or system.
More investment also needs to go to data exfiltration tools and preventing data exfiltration, and the investment should cover modern tools and processes such as conversations on Zoom or info sharing on Evernote.
Employee mental health is and will continue to be, at the forefront of building healthy work environments. We must take steps to support our workforce, while also securing our corporate assets.