(Illustration by Emily Faith Morgan, University Communications)
The next time youâre on an office scavenger hunt or trying to find your way out of an escape room with your co-workers, just remember that every second of shared experience helps tighten cybersecurity within your organization.
That thought may never have occurred to you while on a team-building event, but research from a group of professors from the University of Virginiaâs McIntire School of Commerce shows a new, important benefit to organizational bonding.
McIntireâs Brent Kitchens, Steven L. Johnson and Ryan Wright, with support from UVA Chief Information Security Officer Jason Belford, recently published the article, âPhishing Susceptibility in Context: A Multilevel Information Processing Perspective on Deception Detection.â The article explains why employees fall victim to phishing email scams that compromise the security of their organizations, despite a heightened awareness of security. Itâs estimated that 70% to 90% of all cybersecurity breaches start with phishing emails.
They tested their hypotheses in a study where employees of the finance division of a large university encountered simulated email-based phishing attempts as part of their normal work routine.
Among their conclusions is that companies, in addition to investing in phishing training, should invest resources into creating collaborations and connections between employees. Itâs approaching phishing-attack prevention as a âteam sport,â Kitchens said.
âNo organization,â Kitchens said, âis thinking right now, âHey, we should do some team-building to increase our cybersecurity resilience.â But that's what they should be doing. Thatâs exactly the type of thing that is going to create better resilience.â
Phishing is a type of scam where attackers use deception to get people to reveal sensitive information. In a workplace, an employeeâs vulnerability to a phishing attempt could lead to severe consequences for an organization.
UVA Today caught up with Kitchens, Johnson and Wright to learn more about their research and the benefits of a more collaborative work environment.
Q. If youâre socially isolated within an organization, how can that impact your susceptibility to a phishing attack?
Johnson: One of our findings was that an isolated person within an organization is more susceptible to a phishing email attack. Itâs as simple as, when a potentially suspect email arrives in the inbox, if that person doesnât have a lot of interactions with other people at work, they might not have someone easy to ask about the risk.
Or that person might be so focused on just getting tasks done that they donât question whether thatâs a task worth doing. If they see their job as just, âIâm going to sit here in the organization and respond to incoming stimuli and answer every email,â then theyâre vulnerable.
But if youâre plugged into an organization and plugged into the workflow, you understand the bigger objective and you might be like, âThis little thing that Iâm being asked to do in this email, like that just seems weird. It doesnât seem to me like it would be helpful.â
Kitchens: The less youâre connected, the less youâre going to feel confident or comfortable making these decisions and youâre going to make mistakes.
And so thatâs exactly the type of interaction that we would say, based on this research, you need more of: Having people have informal conversations, reaching out, being able to ask questions, go out, corroborate and collaborate when they get something that seems suspicious. Itâs certainly helpful.
Q. How difficult is it to guard against phishing attacks in fast-paced, high-pressure jobs?
Johnson: What we found was that if youâre in a job with a lot of time pressure, thatâs going to increase the vulnerability. You might sit down in the morning, youâre groggy, and youâre like, âI got to go through these 30 emails before this meeting.â
Well, in that case, youâre not really thinking and asking yourself, âThis request I just got in this email, is it legit?â And the next thing you know, youâve given somebody your user ID and password.
McIntire professors, from left, Brent Kitchens, Ryan Wright and Steven L. Johnson found that employees with less connection to coworkers are more susceptible to phishing scams. (Contributed photos)
The key is to be more mindful. Just take that pause and say, âIs this really legitimate?â And, if youâre really connected in an organization, thatâs the opportunity to ask your co-worker, âHey, I got this request. Did you get this email?â Even in severe time pressure, you would feel comfortable taking a moment and checking in with a colleague.
Q. What surprised you most about your findings?
Wright: One of the most surprising findings in this study was that employees that are the heaviest users of the IT help desk are the most vulnerable to social engineered attacks.
You would think that employees that reach out to the IT professionals are more secure. We found the opposite happened. We theorize that employees that are the heavy help-desk users feel a sense of indemnification.
Essentially, they perceive cybersecurity as an external responsibility â specifically, the domain of the IT department. They adopt the belief that should they inadvertently click on a malicious email or engage in potentially insecure activities, the onus is on the IT department to safeguard them, absolving them of any personal accountability.
Johnson: If you have really high trust in technical support, and you got that because you use them a lot, then thereâs an indemnification that then you feel like, âHey, if I do something wrong, theyâre going to bail me out.â
While itâs good to have a good relationship with tech support, itâs an even better thing to have a good relationship with other co-workers who can help you understand how to use the systems to get your job done.
Q. Based on your findings, what recommendations do you have for organizations interested in heightening cybersecurity practices?
Wright: We recommend pivoting the focus of cybersecurity training from individuals to teams. Our findings show that team-based relationships make individuals less susceptible to social engineering attacks.
This principle aligns with longstanding knowledge from organizational behavior studies asserting that team performance significantly impacts overall organizational outcomes. As it turns out, the same holds true for cybersecurity â team dynamics greatly influence an organizationâs overall cyber resilience.
Kitchens: Itâs very effective to hear other peopleâs war stories. An implication of our research, and a recommendation that I would make, is to have these group discussions and as an opportunity for people to share what has gone well, whatâs gone poorly. Like, what theyâre seeing as the typical kinds of requests theyâre getting that are clearly not legitimate.
And then maybe also requests that they get that, at first, they thought werenât legitimate and then they found out they were.
