3 June Post

Keeping Cyber Vigilance Alive When Employees Have So Much Else to Worry About

As winter settles in across New Zealand, many organisations are facing a perfect storm of challenges. Economic uncertainty continues to place pressure on budgets, ongoing geopolitical tensions in the Middle East are impacting global markets and operating costs, and organisations are simultaneously trying to understand both the opportunities and risks presented by Artificial Intelligence (AI).

At the same time, employees are feeling the strain.

Rising living costs, concerns about job security, increasing workloads, and the shorter, darker days of winter can all contribute to fatigue, stress, and disengagement. Unfortunately, these same factors can also reduce cyber vigilance at a time when cybercriminals are becoming more sophisticated and leveraging AI to scale their attacks.

The challenge for leaders is clear: How do we keep cybersecurity front of mind without creating yet another burden for already stretched employees?

Understanding the Human Factor

For many years, organisations approached cybersecurity awareness through compliance-driven training, annual courses, and periodic reminders. While these activities remain important, they often fail to account for a simple reality:

People are not security systems.

Employees are human beings balancing professional responsibilities, personal commitments, financial concerns, and their own wellbeing. When people become overwhelmed, their ability to identify suspicious emails, question unusual requests, or follow security procedures naturally declines.

Cybercriminals understand this. Modern phishing campaigns are specifically designed to exploit distraction, urgency, and emotional responses. Increasingly, AI is helping attackers create highly convincing emails, voice messages, and fake communications that are far harder to identify than the scams of previous years.

The question is no longer whether employees know what phishing is. The question is whether they can consistently apply that knowledge when under pressure.

The Impact of Economic Pressure

Periods of economic uncertainty often create conditions that increase cyber risk.

Employees may be working longer hours, covering multiple roles, or managing higher workloads following cost-cutting measures. Leaders may be focused on financial sustainability and operational efficiency. In these environments, cybersecurity can unintentionally become viewed as an obstacle rather than an enabler.

When productivity becomes the primary focus, employees may be more likely to:

• Rush through email requests.
• Ignore security warnings.
• Reuse passwords.
• Share information without proper verification.
• Circumvent security controls to save time.

None of these actions are typically malicious. They are often the result of good people trying to meet competing demands.

This is why cybersecurity culture matters. Organisations that successfully maintain cyber vigilance focus on making secure behaviours easy, practical, and relevant to employees' daily work.

AI: Both Friend and Foe

Artificial Intelligence is changing the cybersecurity landscape on both sides of the battle.

Attackers are using AI to create more convincing phishing emails, generate realistic fake websites, automate reconnaissance, and even clone voices. What once required significant technical expertise can now be achieved with widely available tools.

However, AI also provides organisations with powerful defensive capabilities, including:

• Enhanced threat detection.
• Faster incident response.
• Improved monitoring and analysis.
• Automated security operations.
• More personalised security awareness programmes.

The danger lies in assuming that technology alone will solve the problem.

No matter how advanced defensive systems become, employees remain the final decision-makers when approving payments, sharing information, or granting access. Human judgement continues to be one of the most critical layers of defence.

Organisations should therefore position AI as a tool that supports employees rather than replaces their role in security.

Winter Blues and Cybersecurity

Winter can have a surprisingly significant impact on cyber resilience.
Research consistently shows that seasonal changes can affect mood, energy levels, concentration, and motivation. Employees may experience increased fatigue, reduced engagement, and greater levels of stress during colder months.

These factors directly influence cybersecurity behaviours.

A tired employee is more likely to click a malicious link.

A distracted employee is more likely to overlook a warning sign.

A disengaged employee is less likely to report suspicious activity.

This does not mean organisations need to launch major security campaigns every winter. Instead, leaders should recognise that employee wellbeing and cybersecurity are closely connected.

Supporting staff wellbeing is not separate from cyber resilience—it is part of cyber resilience.

Five Practical Ways to Maintain Cyber Vigilance

1. Keep Security Messages Short and Relevant

Employees are already overwhelmed with information.

Rather than lengthy awareness campaigns, provide concise and practical guidance that relates directly to current threats and business activities.

A two-minute reminder about AI-generated phishing attacks may have more impact than a thirty-minute presentation.

2. Focus on Culture Rather Than Compliance

People engage more effectively when they understand why security matters.

Help employees see how their actions protect customers, colleagues, and the organisation's future rather than simply meeting compliance requirements.

Cybersecurity should feel like a shared responsibility, not an imposed obligation.

3. Celebrate Positive Behaviour

Many organisations only discuss cybersecurity when something goes wrong.

Instead, recognise employees who report suspicious emails, challenge unusual requests, or identify potential risks.

Positive reinforcement encourages ongoing engagement far more effectively than fear-based messaging.

4. Connect Cybersecurity to Wellbeing

Encourage employees to take breaks, manage workloads, and seek support when needed.

An employee who feels supported is more likely to remain alert and engaged. Human performance and cyber resilience are closely linked.

5. Make Reporting Easy

Employees should never feel embarrassed about reporting something suspicious.

Create an environment where reporting a concern is viewed as a positive action, even if the threat turns out to be harmless.

The faster employees report potential issues, the faster security teams can respond.

Leadership Sets the Tone

Ultimately, cyber vigilance is not a technology problem—it is a leadership challenge.

Employees pay close attention to organisational priorities. If leaders consistently demonstrate that cybersecurity, wellbeing, and business resilience are interconnected, employees are more likely to adopt the same mindset.

In today's environment, organisations are navigating economic pressures, geopolitical uncertainty, rapid technological change, and workforce wellbeing challenges simultaneously. Expecting employees to remain constantly vigilant without support is unrealistic.

The organisations that succeed will be those that recognise a fundamental truth:

Cybersecurity is not about creating a workforce that is constantly fearful of making mistakes. It is about building a culture where people feel informed, supported, and empowered to make good decisions, even when pressures are high.

​When organisations invest in both their people and their security culture, cyber vigilance becomes not another task on the to-do list, but a natural part of how the organisation operates every day.