Mindfulness in Cybersecurity Culture
Updated: Feb 22
A couple of months ago I sat in an Uber which dropped me at the workshop where my car went in for a service. The area is not the best in Cape Town and it was already after dark when we arrived, so I scanned through the windows for any potential shady characters. I was also chatting with the driver who told me a story about his grandpa from Germany, I was packing my rucksack and my handbag, and with all of this going on I also had the bright idea of checking my emails on my phone. And at that exact moment, I received an email requesting me to update my Uber account details.
Now if I received this mail while at the office, I wouldn't have given it two thoughts. It is very obviously a phishing email, pressurising me into updating my account details. However, for some reason, in the Uber car, I clicked on it.
Luckily it was just a simulated phish and I'm still amazed at how well-timed this was. But I failed the test which meant as a consequence, I had to take remediation training - which was a course I developed myself a couple of years ago.
Our Security team also asked me to fill out a short survey, which I found very interesting - the results of which showed that 53% of my colleagues fail these tests, not because of a lack of training - we should all know better, seeing that we work for KnowBe4 and are in the business of security awareness training -, but we fail these tests because we are multitasking, distracted or too busy. That made me look into this topic a bit deeper and I found other research confirming this. For example, in a study by Tessian in 2020, distractions were behind 47% of people falling for phishing emails.
When reflecting on my story above, I found 3 things in it that related to our human vulnerability when it comes to social engineering attacks:
1. The multitasking trap: I was obviously distracted and trying to juggle a couple of things at the same time. Multitasking is a myth though and has really negative impact on our cognitive functioning and mental health.
2. The emotional trigger trap: Social engineers purposefully use messaging that is emotionally triggering to suppress our critical thinking. This technique is also referred to as the amygdala hijacking attack and is a very common goal of phishing emails. The phish I received for example used a very commonly used low-grade form of fear mixed with urgency, by threatening to deactivate my account if I don't act quickly.
3. The system 1 thinking trap: The coincidence of sitting in an Uber car and receiving an Uber email at the same time made my fast-thinking brain take a very quick and wrong conclusion: 'must be legit'.
So how can mindfulness help?
There are many definitions of Mindfulness, but one that I really like is this one:
"To simply experience a moment as it is, free of judgment."
Researchers Brown and Ryan argued that mindfulness promotes self-regulation by interrupting the so-called “autopilot”, i.e. automatic thoughts and behavior patterns. For me personally, mindfulness just simply means adding a pause between the trigger and our reaction and trying not to identify too much with our thoughts or emotions.
There is plenty of research stating that mindfulness results in fewer commission errors and improves attention to tasks. Mindfulness techniques can help combat some of our distraction, stress, and multi-tasking symptoms as well as help to be more focused and less reactive.
I also came across some research that showed “Supplemental training using a mindfulness approach improves resistance to phishing attacks.”
These are some of the techniques that I personally find really effective:
Stop multitasking and do one thing at a time
Being aware of how bad multitasking is, is the first step to changing it. There are two great books that really changed the way I think about multi-tasking (hat tip to James Francis for the recommendations) The Practicing Mind by Thomas M. Sterner and Dopamine the Molecule of More by Daniel Z. Lieberman and Michael E. Long. And in his book Deep Work Cal Newport outlines the importance of finding silence and single-minded focus time, especially in the morning.
Create a daily schedule with non-negotiable time for “focused work” and protect that time. Switch off notifications, close the door, and minimize distractions. I try and reserve my mornings for focus and concentration time and avoid scheduling meetings before lunchtime.
Chunk your emails & chats: communication time eats into everything we do. Commit to working through your emails and IMs in 20-minute “bursts”. I've switched off all notifications on my phone and I close my email and Slack while I'm working on something else.
Build in breaks: to focus on single-tasking, we need to have moments to refuel, for example, try working for 45 minutes and then taking a 5-minute break away from your desk.
Slow down and do one thing at a time. It's a bit awkward at first, but I try not to look at my phone while waiting in line for my coffee.
Use mindfulness: When you get pulled towards a distraction, whether from outside or your internal thoughts: first, become aware that you are being pulled. Then observe your reaction before you give in to the impulse. Don’t judge it, just acknowledge it. And then make an intentional choice about what to do next. Focusing means silencing both external and internal noise, becoming aware of impulses, and making reactions more mindful, conscious, and intentional.
Distractions are a reality of modern life, we can't become frustrated with those intrusions, it just sups energy. I expect them to happen and try slow things down consciously. Ironically when I'm able to succeed in slowing down, I end up getting so much more done in a day.
The Amygdala: our built-in alarm system
If we manage to view our amygdala a bit like a warning system instead of just reacting to it, it becomes a powerful tool. For example, when a message makes you feel tense, or stressed, acknowledge how your body feels and what it is doing. Pay attention to any tightness, agitation, heat, or discomfort. If your body’s flight-or-fight response is triggered, your body knows and gives you signs that something is up, before you even become conscious of it.
When you become aware of this, without giving in to the impulse to react, it allows your critical thinking or executive function to take control again and react in a calmer state. Ultimately we want to move from an automatic reaction to a more rational response.
Just pause to interrupt that reactivity and first impulse.
Then take a few calming breaths
Tap into your senses, and focus on what you can see, hear, taste, and feel. Observe how your body feels, focus on your feet on the floor or your contact points on the chair. Your body's sensations can help you ground yourself.
Label how you feel. When you label what you feel, you are reactivating your thinking brain and it will help you regain control. For example: 'This message makes me angry.' Validating it helps you to control it and reduces the intensity of the emotion.
The Power of Breath
The quality of our breath directly impacts the quality of our lives. Controlled breathing has been shown to reduce stress, increase alertness and boost our immune system. Breathing sends a message to our brains to relax, which in turn tells the body to decrease stress responses. It activates our parasympathetic nervous system which is a network of nerves that make us feel calm and relaxed. At the same time, controlled breathing is massively practical, it's free, and it's easy. It’s a bit like meditation for people who can’t or don't want to meditate. And it totally helps us to become more mindful, more present, and less reactive, meaning less susceptible to clicking mindlessly on stuff, like phishing emails. Or Instagram offers.
Here are some breathing techniques I find really useful:
According to the book Breath by James Nestor, the perfect breath is about five or six breaths per minute. You can do this by breathing in for about 5.5 seconds, then exhaling for 5.5 seconds. If you have the time to learn only one technique, this is the one to try. Again, it just means slowing things down.
Belly breathing or also called diaphragmatic breathing is one of the most common types of deep breathing and is a great place to start. This technique is helpful for relieving stress and overall relaxation. Just inhale deeply through your nose and feel your belly expanding. I find placing my right hand on my belly and my left on my heart space makes this very calming.
Box breathing or 4-7-8 breathing technique is a bit more structured and helps relax and reduce anxiety. It can also be used to help fall asleep. Just count to 4 on the inhale, hold for 7, and count to 8 on the exhale.
The Power of Movement
The fact that exercise is good for our health is a given but you don't even have to do a full gym workout - just a simple 5-minute walk in nature will already have a calming effect on your stress response.
One of the biggest impacts of the Yoga teacher training programs I attended was the calm I felt after being in my body for a couple of hours each day. It made me experience what the word embodiment actually meant. In Dr. Laurie Rauch's book Keeping Calm he provides a detailed breakdown of the principles required to master our Brain Reward Systems to optimise our health, well-being and performance – in sport, business, and life. A lot of it has to do with using spinal movements to influence our thoughts and emotions.
By activating our spine first thing in the morning- through for example doing some forward folds or just rotating your arms and shoulders you are releasing positive feelings and reduce anxiety.
The Power of Sense Hacking
Tapping into our senses to get us to focus or relaxed is the story behind the Zensory which is an immersive focus platform designed to help its users to return to optimal mood and focus on the task at hand. The team behind the Zensory combines cutting-edge neuroscience techniques with traditional therapeutic practices for well-being and provides mindfulness tools, such as binaural beats, nature sounds, interactive touchpads, and breathwork so that you can get into a more focused headspace. The best part? These techniques can be used while working. Think of a binaural beat-nature sounds playlist that you listen to while you are writing a blog post, sifting through email, or preparing for a presentation. This helps you really deep dive and focus. I've been listening to their binaural beats and nature soundscapes whenever I need to deep focus, for example right now while writing this blog post.
Since learning more about the damaging effect multitasking can have on our mental well-being and general productivity I've tried to make a few changes in my life that should have prevented me from clicking on that phishing email in the uber situation. However old habits don't die easily, so I still have to remind myself to apply these changes each day.
If I was taken back to that situation in a more mindful state, I probably would have done the following:
Firstly, I now have a rule not to check my emails while doing other things. When Im speaking to someone I make a point of leaving my phone in my bag. So while I was speaking to the driver I should have just focused on what he was saying rather than mindlessly being glued to my screen.
If I observed that my body felt a bit tense I should have used this as a warning signal, rather than just rushing ahead and clicking on that link.
If I slowed things down more, I would have still arrived safely, I would have had an opportunity for real human connection with the driver, and I would have kept myself from making errors.
Would have, could have, should have. Hindsight is a wonderful thing.
What my story taught me though in a visceral way, is the importance of taking a human-centric approach to cybersecurity culture and awareness. People are not robots, we consist of thoughts, feelings, and emotions. And sometimes those are turned against us. The best way to run a 'Cyber mindfulness' campaign is to partner with the HR and wellbeing teams. The power of combining cybersecurity awareness messages with mindfulness techniques will be multi-fold. Apart from helping people be more cyber aware, mindfulness can help us become more focused, productive, and happier too.