Up to 90% of all successful cybersecurity attacks involve social engineering; exploiting human vulnerabilities. While technical measures like strong passwords and anti-virus updates are crucial, cultivating mindfulness can be an equally powerful defence against these human-centric attacks, writes Anna Collard, SVP Content Strategy & Evangelist at KnowBe4 AFRICA.

There’s nothing worse than knowing that someone has just hacked into your account. Whether it is your inbox or your bank account does not matter. You can relate to that awful, sick feeling in your gut that you have been foolish enough to fall for someone’s trickery.

Social engineering is how most cyber criminals get the key to your front door. They dupe you into revealing your password or logging into your online account, often instilling fear or a false sense of urgency. These attacks can be in the form of phishing emails, phone calls, SMSs, social media messages, chat apps or on gaming platforms.

Social engineering is the reason, no matter what security measures you have in place on your devices, criminals will circumvent them. Scammers are experts at bypassing cybersecurity defences and manipulating the human mind.

Understanding human vulnerabilities

Why are humans so susceptible to hacking? Many factors make humans vulnerable to social-engineering attacks. These range from cognitive, psychological, behavioural, and situational factors to simple demographics (teens and older adults are most often targeted). Cognitive biases play a role here, such as a confirmation bias that seeks information that confirms what you already believe, but so does stress and fatigue.

When you have been doing the same task for a while, your ability to remain vigilant decreases. Similarly, being distracted and multi-tasking are situational factors which can impede your thinking. (This happened to me while chatting to someone and checking my emails at the same time—I unwittingly clicked on a simulated phishing test.)

Mindfulness: A powerful defence

Amid all the horror stories of social engineering, it is comforting to know that there is a defence that we can all tap into and that costs nothing: mindfulness. Mindfulness is the practice of remaining alert, calm, and present. Rather than being a personality trait, it’s more a state of mind.

Three fundamental aspects, each of which directly relates to improving cybersecurity awareness shape mindfulness:

1. Present moment focus: By staying attentive to the current task, you are less likely to fall victim to distractions that could lead to security mistakes.
2. Meta-awareness: This involves being attentive to both internal experiences (thoughts and emotions) and external ones (such as unusual email requests or suspicious phone calls).
3. Non-judgmental and non-reactive attitude: This allows you to approach potential threats or emotional triggers with curiosity rather than fear, enabling more rational decision-making.

Mindfulness is the perfect countermeasure to the mindlessness that makes you vulnerable to phishing. I have done extensive research into how incorporating mindfulness into cybersecurity awareness training programs can enhance people’s defences against social engineering attacks. This is especially crucial as cybercriminals are progressively using advanced methods using generative AI and automation in their attacks, highlighting the need for mental resilience.

Practical mindfulness techniques for cybersecurity

There are many practices to nurture mindfulness and awareness that can directly improve your cybersecurity posture.

1. Single-tasking: Start your day with a list and be intentional about doing each task in 45-minute sprints. This focused approach can help you stay alert to potential security risks.
2. Mindful email checking: Instead of constantly monitoring your inbox, set specific times for checking emails. This allows you to approach each message with a more reflective and security-conscious mindset.
3. Body awareness: How fast is your heart beating? What is your breathing like? By focusing on these vital signs first, your body might identify that ‘something is off’, indicating a potential security threat before your rational mind is aware of it.
4. Breathing: Perhaps the most well-known technique to calm our nervous system is deep belly breathing with longer exhales. An example is the 12-second box-breathing technique practised by the US Navy Seals. When you feel tense, anxious or pressured into an urgent request, take a moment to practise this technique before responding.
5. Pause and reflect: Before clicking on links or downloading attachments, pause for a moment. Ask yourself: “Is this expected? Does it make sense?” This moment of reflection can prevent many security breaches.

Implementing mindfulness in security awareness training

I believe that empowering individuals to become more mindful can really complement security awareness training. This could also involve ways to organise our work so that we are less stressed, whether it is having shorter meetings, doing a stretch class during our lunch break, or simply doing one thing at a time.

Cultivating mindfulness not only enhances overall well-being but also serves as a powerful tool in strengthening cybersecurity defences. By incorporating mindfulness techniques into our daily routines and cybersecurity practices, we can create a more robust defence against social engineering attacks.

By staying present, aware, and calm, we can transform our minds into our greatest cybersecurity asset.