When Busy Becomes Risky: Cognitive Overload and Everyday Data Incidents

Often it's not a lack of policy or training that causes a breach, it’s the quiet influence of a tired, overloaded mind.

This morning I received a message on my phone that showed a colleague’s name. At first glance it looked perfectly normal, a friendly note asking for my number. Except he already had my number, and we had been messaging only a few days earlier.

Before looking too closely, I sent him a quick message to check. Of course it wasn’t him. When I went back and examined it properly, I saw that the email address it had come from , which isn’t always displayed on a phone, was a random Gmail account. The sender had simply changed the display name to match my colleague’s.

There were no links, no attachments, nothing that obviously screamed danger. Yet it struck me how easy it would be, especially on a busier day, to take that message at face value and reply without a second thought.

That moment made me reflect on something much broader: how often small lapses of attention, brought on by cognitive overload and constant busyness, lead to real data incidents. Cognitive overload is a new phrase to me. I came across it while researching data breaches and exploring why so many reported incidents still come down to human error.

And just to be clear, this isn’t a call for more automation or AI to replace human judgement. Quite the opposite. It’s about understanding that when people are overwhelmed, even the most diligent professionals can miss what’s right in front of them.

The Hidden Cost of Cognitive Overload

Being busy is not just a matter of workload. It changes how our brain functions. When we are overloaded with tasks, notifications, and shifting priorities, our working memory becomes stretched. Psychologists call this cognitive overload, the point where the brain’s capacity to process information is exceeded.

When this happens, we start to rely on mental shortcuts. The brain looks for patterns and familiarity rather than analysing each detail. A familiar name or subject line feels safe. A routine message looks fine. It’s our brain’s way of coping with too much input, but it’s also exactly how mistakes creep in.

Research into cognitive overload has shown that constant interruptions and task-switching significantly increase mental fatigue and the likelihood of errors. One study found that frequent work interruptions led to higher perceived workload and more “interruption overload”, meaning people made quicker but less accurate judgements. In simple terms: the busier we are, the more likely we are to miss what’s right in front of us.

Human Error in Context

The Information Commissioner’s Office publishes quarterly data on incidents reported to it. Since 2021, the highest proportion of non-cyber incidents has consistently been cases where information was emailed to the wrong person.

Across multiple reporting periods, this single error type has remained the top cause of reported data incidents. Phishing accounts for between 8 to 11 per cent of reports, while unauthorised access typically sits between 12 and 13 per cent.

The pattern is clear in that most reported data breaches do not begin with technical failure but with human misjudgement, the small slips that happen when people are rushing, distracted or overloaded.

The National Cyber Security Centre (NCSC) also highlights this human factor, citing the global Verizon Data Breach Investigations Report, which found that the human element, whether error, credential misuse or social engineering, featured in 74 per cent of breaches.

These figures underline something we see daily in organisations: technology rarely fails on its own. It’s people, under pressure, tired or distracted, who become the weak link. A mistyped email address, a misdirected attachment, or a quick click on a spoofed message can all trigger serious incidents.

And while training and policies help, they can’t fully counteract what happens in the human mind when cognitive overload sets in.

When Familiarity Becomes Dangerous

The message I received is a simple example. The attacker used a known name to create trust. It’s an everyday impersonation tactic, a form of social engineering that relies on a brief lapse in attention.

On a normal day, anyone might have replied. The attacker might then move the conversation to a less secure platform such as text or WhatsApp, or follow up with a more convincing request. Sometimes, these messages are merely tests: if you respond, you confirm the address is active and that you’re receptive, information that makes you a future target.

The point is not that people are careless, but that our brains are wired to seek efficiency when overloaded. Familiar names bypass scrutiny. We default to trust when attention is thin.

Practical Habits to Reduce the Risk

You can’t remove busy days from working life, but you can build small habits that protect you even when your mind is stretched.

Pause before reacting. Take a short breath before opening or replying to anything unexpected. That single pause interrupts autopilot.

Check the source. A display name can be spoofed easily. Always look at the actual email address.

Sense-check the message. Does it make sense that this person would contact you in this way? Does the tone or timing fit their usual communication style?

Use another channel to verify. Call or message the colleague through a known route rather than replying to the email.

Encourage a culture of checking. Normalise verification at work. It’s not mistrust, it’s professionalism.

Be realistic about attention. If you’re in a high-stress or back-to-back day, your mental buffer is lower. Give yourself permission to slow down on anything that feels even slightly unusual.

What to Do if You Receive a Suspicious Message

The NCSC offers advice:

• Don’t reply unless you’ve confirmed authenticity.

• Check the full email address, not just the name displayed.

• Report suspicious emails to report@phishing.gov.uk, which helps the NCSC track and block malicious senders.

• If you’ve already shared information, let your IT or security team know immediately and watch for follow-up messages.

Why This Matters for Organisations

Human error remains one of the most consistent contributors to data incidents. Yet it’s not about incompetence, it’s about human limits. Even experienced professionals can miss things when under pressure.

Cognitive overload is the silent risk factor that rarely appears in board reports or breach analyses. But it’s there, shaping behaviour, eroding attention, and driving the statistics the ICO continues to publish.

The answer isn’t to train people harder or reprimand them more. It’s to design systems and cultures that make it easier to pause, to double-check, and to speak up without blame. When we create space for people to think, even briefly, we reduce the chance of costly mistakes.

The End........

Being busy is often celebrated as productive, a sign of importance or dedication. But in the world of data protection, being too busy can quietly turn into risk. The same mental shortcuts that help us survive the day can lead to incidents that take months to fix.

When you’re under pressure, that second glance, the one that spots the odd address or the unusual request, could be the difference between a quiet save and a public breach.

#DataProtection #InformationGovernance #HumanError #CognitiveOverload #PeopleCentredSecurity #SecurityAwareness #PrivacyMatters

Further Reading

• An Introduction to Cognitive Load Theory — The Education Hub An introduction to cognitive load theory - THE EDUCATION HUB

• Dealing with Information Overload: A Comprehensive Review — National Library of Medicine Dealing with information overload: a comprehensive review - PMC

• Human Sustainability and Cognitive Overload at Work — Taylor & Francis, 2024

• NCSC Phishing and Social Engineering Guidance — ncsc.gov.uk