The Amygdala is an almond shaped structure in the center of our brain which triggers emotional responses including fear, anxiety, and aggression. It has been instrumental to our survival for the past 3 million years. In modern times it can be turned into the weak link in our defense mechanism.
Cyber criminals masterly utilize the basic reaction pattern of the Amygdala to perform their magic. Namely, once the Amygdala is affected, the part of the brain responsible for conscious decisions (prefrontal cortex) is momentarily out of work. We mainly react instinctively and are limited in our ability to rationally deliberate our decisions.
Hence, typical social engineering attacks often involve time or financial pressure, threats to our safety (physical or job security) and the fear that inaction might cause even more harm. This already is quite hazardous as attacks become more and more advanced. Cyber criminals are increasingly using sophisticated methods to create threat backdrops based on personal information from the victim. The Amygdala reaction has been used for centuries to get people to do things they never intended to do and, until recently, without even knowing about the existence of the Amygdala.
What perilously adds to the sum game is the perpetuity of stressful situations faced by the modern workforce. Hundreds of studies have shown that our Amygdala is firing relentlessly, even during a normal work day, with no sensible way to stop the cycle and release stress. Respectively, if you add just a little bit more to this stress level, it usually is the “straw which brakes the camels back”. People react completely irrationally in ways which in hindsight they can’t explain. Dozens of seemingly unfathomable social engineering attacks bear witness to this effect.
So, are we doomed to simply surrender to the shortcomings of our humanoid heritage? I suggest we learn to regain control of the Amygdala stress reaction using ART – Awareness, Relaxation, Trust.
First and foremost – AWARENESS: We at SAP train our workforce to recognize social engineering attacks in multiple ways and on an ongoing basis. The more often we are confronted with such information, the better we become in recognizing the patterns (something our brain is incredibly well skilled to do). We run awareness campaigns with fake phishing attacks that help people recognize such emails and train them where and how to report them. We launch funny videos, online challenges and use a gamified and entertaining approach that increases the willingness to get engaged and, as is known, improves the learning capacity.
Our sophomore – RELAXATION: Since a long time, we at SAP emphasize the importance of mindfulness and selfcare. The SAP Global Mindfulness Practice helps SAP employees to develop strategies to reduce work stress overall and learn how to become more self-aware. The more resilient we get to stress the more pressure is needed to set-off the Amygdala alarm. The threshold is all but set to a higher level. Even if you end up in an overwhelming stressful situation but know how to calm yourself using e.g. breathing techniques, you can stop the Amygdala from going rogue. This gets your frontal cortex back into the game and allows you to make rational decision.
The third pillar is TRUST: employees need to know they are allowed to make mistakes. Even if they fell for a social engineering attack, they should know where and how to report the incident – without the fear of consequences. Important note: the worst part of an attack is NOT getting attacked but the incubation time afterwards. If entered unnoticed the attacker will worm through the company’s virtual entrails and steal or harm as much as possible in whatever time is available. To shorten this time period to a minimum is crucial. When employees at SAP have been attacked, they know where to report the incident. They also have the confidence that our SAP Global Security team can handle the attack. We do not punish people for getting attacked. Human beings make mistakes and thankfully have the tendency to learn from them. We rather encourage our employees to report everything they feel uncomfortable about. Even if it turns out to be perfectly harmless, we rather spent some gratuitous time than ignore the one fatal attack that can cause significant harm to the company.
Hence, ART can help to control the Amygdala reaction and thus help to protect your company. We at SAP know we can rely on our workforce to help us protect SAP!