Security awareness

Security Awareness Tips for (IT) Workaholics

August 23, 2018 by Dimitar Kostadinov


Everyone knows a workaholic. These individuals work a lot longer than forty hours, work during breaks and days off, are distracted during off-hours, talk about work all the time, check their emails often … and, because it’s not as high on their priority lists, they don’t always pay enough attention to security.

If you’ve spent any time in the IT sector, you know that the professionals there often continue to work after the end of their contracted hours (41% according to the survey Employee Pulse by Qualtrics). Skills shortage in certain IT areas has led to increased workloads on existing staff, which, in turn, eventually results in high burnout rates and human error.

In this article, we’ll be reviewing security awareness tips for workaholics, both in and outside of the IT sector. We’ll be covering some security problems most workaholics may come across, such as phishing and social engineering scams, the lack of effective and efficient incident response mechanisms, lax security controls concerning remote working and more.

Incident Detection and Incident Response and Handling

Threat detection that is manually intensive, complex and time-consuming is a major problem with respect to the profession of cybersecurity expert. It will make you a workaholic even if you don’t want to be; that is, it will if you wish to do your job properly.

Automation is key here. Having an IR strategy with clear steps on how to act under pressure is the most effective way to react in a timely manner in order to contain and control the outbreak. It is advisable for companies to invest in security software that will monitor and identify risks prior to any harm being caused by malicious actors. Popular task automation and configuration management frameworks are PowerShell and Bash Script.

Integrating automation in the incident response strategy has a number of benefits:

  • Dispense with the slow and tiresome manual process
  • Allow staff to focus on other tasks
  • Provide better visibility regarding patterns of cybersecurity incidents
  • Prioritize and manage risks based on an assessment of their critical status
  • Enable the utilization of a single platform for security incident management

Through artificial intelligence (AI), businesses could also try to compensate for the skilled worker shortfall. By significantly decreasing false positives, for example, AI technologies and/or automation will make existing IT teams more efficient while, at the same time, allowing them to avoid alert fatigue. Long hours spent on otherwise mundane routines could be dedicated instead to the development of a more effective IT governance process. Moreover, AI empowers log/triage analysts to be something more than reactive defenders – the hunted become the hunters.

Training is cheaper than sophisticated cybersecurity technologies. Lesley Carhart, team lead for Motorola Solutions’ SOC, put it this way: “Incident response skills should be drilled until [employees] are easily recalled under pressure […]. The objective is to do critical tasks and processes so many times that in a high stress environment, they can be done without much effort.”

Phishing and Social Engineering Dangers

According to a study by SME card payment services firm Paymentsense, being out of the office but still working remotely makes you more susceptible to threats such as phishing.

55% of organizations have experienced a security incident due to a malicious or negligent employee. Simulated phishing attacks are an excellent practical way to check the staff members’ preparedness to ward off phishing attacks.

If you are a true workaholic, then you are more likely to become a victim of a phishing scam. Waiting patiently for someone to make a wrong move, cybercriminals ruthlessly prey on individuals who are distracted due to numerous hours of mundane routines. For example, the probability of clicking on a bad link or open a malicious attachment is greater if you are busy or tired or both and you do not take heed of the following recommendations:

  • First and foremost, try not to act hastily. Read the content of the email/message and look for misspelled words, bad grammar (e.g., “am” instead of “I’m”), illogical requests (most of all, requests for login credentials or other sensitive information) or any other suspicious signs. Deactivate macros. Keep in mind that many financial or governmental organizations will almost never contact you asking for sensitive or personal data, because the simple fact is that email is not a secure communication medium
  • Perform a URL inspection. Hover over the URLs embedded in the email and check their true destination. See whether it starts with “https://” instead of “http://”
  • For password requests, first enter an incorrect password, as a legitimate website will not accept it
  • Two-factor authentication adds an extra layer of verification and is an effective method to counter phishing attacks that attempt to steal your login credentials. Frequently changing the password (and always in the wake of security incidents or even out of reasonable suspicion of such a possibility) is also advisable
  • Listen to your intuition. If something seems “phishy” to you, it probably is

Do you have a demanding boss who’s always asking for something? Whаling is another phishing variant that doesn’t necessarily involve stealing credentials or duping someone into installing malware; instead, criminals use spoofed or hijacked VIP emails to request sensitive corporate data, restricted employee data or payments by wire transfers. Phishers are counting on those busy people that are in a hurry and open attachments and embedded links without giving much thought to the consequences.

You should carefully examine the email and, if you have any doubts about it, contact the sender by phone. Or even better — talk to him/her in person.

Remote Work Security for Work Addicts

Security pundits have arrived at the conclusion that the risks are increasing when people work from different locations. In this regard, CompTIA’s Zeshan Sattar said: “People want to work anywhere and everywhere. They open their laptop up and it is confidential – they are really not thinking about what they are doing. Yes, we can look at the technology, but we also need to look at the people and the human risk.”

The risks of data leakage are magnified when employees are allowed to access the corporate network anytime, anywhere. In Microsoft’s estimation, the average cost of a data leakage is $3.8 million.

Nowadays, the majority of companies (82%) allow their employees to use personal devices for work purposes, sometimes without much oversight. From a corporate point of view, however, probably the most essential measures are: creating an effective BYOD policy, educating employees on how to protect their equipment while being outside the office, and 24/7 monitoring of the entire IT infrastructure. If there is a robust corporate BYOD policy in place, employees should act in accordance with its provisions. Irrespective of whether or not there is an effective BYOD policy enacted and enforced by the company, remote workers must observe several basic recommendations:

  • Minimum required security controls should include data encryption and password requirements. Follow the best practices for passwords – e.g., three random words easy to remember. Use PINs, screen locks, or biometric scans and use them wisely – for instance, be careful of scammers using shoulder surfing. Are your screen timeout controls effective?

Reverse Smudge Engineering – greasy finger traces may give away your lock screen pattern. It’s not the best image quality, but can you guess the pattern? You can find the answer at the end.

  • Avoid connecting to public Wi-Fi hotspots unless it is absolutely necessary. In case you need to connect, use a VPN. If you do not intend to use the connectivity functions of a device, turn them off
  • Install patches and updates for all software in use. Use only the latest version of a reliable anti-virus program
  • It’s good to lean on technical support (provided that there is one) in situations you are not sure how to address a certain security issue
  • 230,000 strains of malware come into existence every day. By simply using one device for all kinds of purposes, the possibility of a malware strain infiltrating a company’s network is relatively high. When employees use personal devices for work, corporate data often becomes entangled in heaps of other data to a point where the employee may not know which is which. Techniques such as sandboxing or ring-fencing may be the key to dealing with the problem of personal data and corporate data coexisting in the same location. For example: by keeping corporate data in a specific app, this data can be recovered through a backup facility in the event of an emergency
  • According to Mike Hicks, VP of Strategy at Igloo Software: “The main security concern stemming from remote workers is the vast amount of online information sharing.” Unfortunately, only one-third of companies appears to have good knowledge of their IT environment in its entirety (online, virtual, offline, physical, etc.) according to a 2018 study by Ivanti. Owing to the 2016 U.S. presidential election, many people realized the dangers that may occur because of downloading or sharing sensitive data on insecure servers. External hard drives or cloud-based storage systems are preferable back-up methods. Beware of the fact that such repositories are in the cybercriminals’ crosshairs, as well. Having a secure corporate hub is among the most reliable options for storing and exchanging information
  • Consider remote wipe controls in various situations: lost device, termination of an employee’s contract or impending threat of a malware infection that could spread from the device to the organization’s data/infrastructure
Acceptable-use policy is another data governance mechanism (which may be incorporated into the BYOD policy) up the CIOs’ sleeve that is designed to control loose security practices in teams full of hardened workaholics. It serves to determine permitted applications, banned websites, what company-owned assets can be accessed, secure ways to store or transmit work materials, etc.

Photo by Identity Force /CC


A Preoccupied Mind Turns Everything Into Background Noise

A Code 42 study reports that one laptop is stolen every 53 seconds in U.S. airports. When staff members work frequently on the move, there is a higher risk of their devices being stolen or lost. They may inadvertently leave mobile devices, laptops and documents containing sensitive information unattended in public areas or vehicles. Even ostensibly innocuous tampering with such a device by a friend or family member may result in disastrous consequences.

When you work at a public location, the physical security of equipment is much more important than it is in the context of working at the office. There are a number of common physical security threats to people who often work outside their offices. Piggybacking/Tailgating, Dumpster Diving, and Shoulder Surfing are probably the most common threats that lurk in the shadows, ready to take advantage of people whose mind is entirely absorbed in work activities.

Conclusion: Burnout Syndrome: A Full-Blown Collapse of Workaholics’ Defense Mechanisms

Dr. Julia Mossbridge, Director of the Innovation Lab at IONS (San Francisco), explains about the burnout syndrome in the tech industry: “I’ve been giving talks at Silicon Valley companies and we’ve uncovered a real problem in the industry—mistaking work engagement for what is really an inability to switch off and do any self-care at all—essentially coders cracking up under pressure. At Google they call it the Superhero-Burnout Syndrome. Many engineers think of themselves as machines, yet they don’t expect their devices to diagnose and fix themselves. But they assume their minds and bodies will reboot. It just doesn’t work like that.”

If you are a person who always stays after hours to solve problems that are not only your responsibility, try to change a bit the dynamics by suggesting that other experienced colleagues also deal with these problems on a rotational basis. Although it might be a difficult decision to make, especially for true work addicts, occasional delegation of entire tasks to someone who is able and willing to help you can be the breath of fresh air you need.

Security personnel fight not only criminals, but also cybersecurity fatigue. Their profession simply predisposes them to be on edge for long periods. There are rarely any clear wins, but the impending dangers are always near. What is worse – many such job positions leave you feeling as if you do not contribute enough to the overall success of your IT company. Unsurprisingly, not only attracting talent to cybersecurity is challenging, but also retaining it.

A mindfulness meditation course is the simple solution for tiredness on which some Googlers rely, as they report that meditation makes them feel “calmer, clear-headed, and more focused.” Restful practices do not just help workaholics disconnect from work: they are good for health and may boost innovation, too.

Creating social events may be the key to overcoming burnout by driving inclusivity. Acknowledge the need for time off – that is a difficult endeavor because our society tends to praise grinding.

A person is inclined to be most satisfied with his job when he understands his role contributes to the well-being of the company, have the proper level of training, and have the right equipment.

Curiously, the survey Employee Pulse by Qualtrics shows that workers who spend more than 60 hours a week fulfilling their job duties feel very positive, despite the concomitant stress and fatigue due to long working hours. These employees seem to feel more engaged and committed.

In the end, there appears to be a subtle difference between hard workers and workaholics – it is how much more the work affects the life (and by extension the security) of the latter.

Finally …

Did you spot the pattern on the screen?


BYOD in UK SMEs linked to security incidents, ComputerWeekly

Cybersecurity for the work-anywhere generation, The Guardian

3 Solid Cybersecurity Tests for Your Employees, DivergeIT

Working Smarter, Not Harder: Bridging the Cyber Security Skills Gap, SecurityWeek

Effects of Bring Your Own Device (BYOD) On Cyber Security, Fossbytes

How To Keep Your Data Safe When Working Remotely, WorkflowMax

CSO burnout biggest factor in infosec talent shortage, CSO Online

Dropbox adds 1TB of storage to its Professional and Business plans for free, Venturebeat

Workaholic Americans don’t take all their vacation, CNBC

10 bits of career wisdom for beginning cybersecurity professionals, TechRepublic

Survey reveals workaholics may be happier workers, Inside Small Business

Security burnout: Avoidable or inevitable?, betanews

Cybersecurity job fatigue affects many security professionals, CSO Online

Artificial Intelligence: Beating the Burnout in Security Incident Response, IT Security Guru

The Secret to Security in the Age of Remote Working, Tech.Co

5 cyber security best practices for 2018: From culture to coping with BYOD, InformationAge

Burnout, Culture Drive Security Talent Out the Door, Dark Reading

5 Tips for Implementing a Secure BYOD Policy, Sensors Tech Forum

This Company Is Helping Silicon Valley Workaholics Chill Out, PCMag

How Googlers Avoid Burnout (and Secretly Boost Creativity), Wired

Mobile phone image for the Reverse Smudge Engineering question courtesy of Ms. T

Posted: August 23, 2018
Dimitar Kostadinov
View Profile

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.