Why IT systems are most at risk after the holidays

The first week after the holidays was awash with ‘back to work’ memes as people voiced their struggle at venturing back into the office after a period of excess over Christmas and the New Year. Social media has been flooded with gifs and other images illustrating the ‘joy’ people felt about being back, but our struggles have a clear scientific basis to them, whether in terms of the lack of daylight those of us in the northern hemisphere are experiencing, the relatively long period until the next holiday, and even withdrawal from alcohol and other holiday staples that people decide to abstain from in January as part of new year health drives.

It’s easy to treat such scenarios in a light-hearted way, but research from the University of Delaware highlights how they could have very real implications for the cybersecurity of our organizations. The findings center on the impact our generally low mood has on our willpower and self-control, with the researchers hypothesizing that the lower our willpower, the more prone we are to engage in behaviors that place us at risk of hacking.

In most organizations, there are clear policies to help guide workers in the right direction, whether it’s setting robust passwords, installing unapproved software or accessing dubious websites. The problem is, when we’re not at our best, we’re more likely to violate those policies.

Risky behavior

The study focused primarily on the kind of insider security breaches that are such a common form of problems in our organization, with many of these breaches resulting from noncompliant behavior from employees. If we’re tired, generally a bit grumpy, we tend to be less disciplined in a variety of ways, and the diligence with which we adhere to our employer’s security protocols is no different.

So what can you do about it? A recent study helpfully highlighted how good cross-country skiers were at overcoming the generally miserable post-Christmas mood, but on the off chance that you don’t have access to snow, there are thankfully a range of things you can do to boost your self-control, and subsequently remain secure as you go about your work.

• Be in control - A good first step is to believe we are largely in control of our destiny. Gene Hayman famously argued that a starting point for many of our addictions is a lack of belief in our own agency. A sense of control, therefore, is often a good starting point for a range of constructive behaviors.
• Set some goals - I know, I know. January is lethal for new years resolutions that seldom make it past the end of the month, so setting goals must be a waste of time, right? Yes and no. Goals inevitably help to guide our choices, and work especially well when they’re specific rather than abstract. Many workplaces now gamify this process as part of wellbeing initiatives, so consider doing likewise for cybersecurity.
• Get feedback - Another central concept of a gamified approach is to get feedback on your progress. The ability to self-monitor our progress towards the goals established previously is crucial to maintaining the right behaviors.
• State the importance - It’s tough to adhere to policies if you don’t appreciate their importance. Cybersecurity may be obvious in areas such as healthcare, but even there, breaches are commonplace, so it’s vital that employees appreciate how their actions really matter.
• Give support - It seems unlikely that any individual will engage in unsafe behavior willingly, so it’s important that any attempts to ensure people adhere to policies is accompanied by support so that they have confidence in their ability to do so, even if their willpower is low.
• Reduce stress - Self-control is largely a matter of energy, and there are numerous things in our working life that diminish our energy levels, whether that’s our commute, our workload, our colleagues or our boss. If you can help reduce stress as much as possible, it will help employees do the right thing in terms of cybersecurity.
• Build resilience - This goes hand in hand with the aforementioned notion of reducing our stress, as there are various things we can do to better buffer the stresses we do face, from getting more exercise, more exposure to nature and daylight or utilizing meditation and mindfulness.

Research has shown that initial cyber breaches are often followed rapidly by a second, so it’s best to try and ensure no such breaches occur in the first place. The post-holiday blues provide a fertile ground for breaches to occur, so it’s vital that employers take steps to help employees act in the right way. Hopefully the above tips will help ensure that happens and your organization doesn’t suffer any cybersecurity issues this winter (or what's left of it).